forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'Azure:master' into master
- Loading branch information
Showing
137 changed files
with
2,988 additions
and
3,375 deletions.
There are no files selected for viewing
430 changes: 0 additions & 430 deletions
430
.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 24 additions & 1 deletion
25
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,27 @@ | ||
| id: 518e6938-10ef-4165-af19-82f1287141bc | ||
| name: ATP policy status check | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/ATP%20policy%20status%20check.yaml' | ||
| This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365. | ||
| description-detailed: | | ||
| This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365. | ||
| Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - CloudAppEvents | ||
| tactics: | ||
| - DefenseEvasion | ||
| relevantTechniques: | ||
| - T1562 | ||
| query: | | ||
| CloudAppEvents | ||
| | where Application == "Microsoft Exchange Online" | ||
| | where ActionType == "Set-AtpPolicyForO365" | ||
| | mv-expand ActivityObjects | ||
| | extend Name = tostring(ActivityObjects.Name) | ||
| | extend Value = tostring(ActivityObjects.Value) | ||
| | where Name in ("EnableATPForSPOTeamsODB", "EnableSafeDocs", "AllowSafeDocsOpen") | ||
| | extend packed = pack(Name, Value) | ||
| | summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName | ||
| | evaluate bag_unpack(PackedInfo) | ||
| version: 1.0.0 |
16 changes: 15 additions & 1 deletion
16
Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,18 @@ | ||
| id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a | ||
| name: JNLP-File-Attachment | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/JNLP%20attachment.yaml' | ||
| JNLP file extensions are an uncommon file type often used to deliver malware. | ||
| description-detailed: | | ||
| JNLP file extensions are an uncommon file type often used to deliver malware. | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - EmailAttachmentInfo | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1566 | ||
| query: | | ||
| EmailAttachmentInfo | ||
| | where FileName endswith ".jnlp" | ||
| version: 1.0.0 |
21 changes: 20 additions & 1 deletion
21
...ng Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,23 @@ | ||
| id: 16eda414-1550-4cdc-8512-0769901d3f05 | ||
| name: Safe Attachments detections | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/Safe%20attachment%20detection.yaml' | ||
| This query provides insights on the detections done by Safe Attachment detections | ||
| description-detailed: | | ||
| This query provides insights on the detections done by Safe Attachment detections. | ||
| Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - EmailEvents | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1566 | ||
| query: | | ||
| EmailEvents | ||
| | where DetectionMethods != "" | ||
| | extend detection= tostring(parse_json(DetectionMethods).Phish) | ||
| | where detection has "File detonation reputation" or detection has "File detonation" | ||
| | summarize total=count() by bin(Timestamp, 1d) | ||
| | order by Timestamp asc | ||
| version: 1.0.0 |
21 changes: 20 additions & 1 deletion
21
... Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,23 @@ | ||
| id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422 | ||
| name: Authentication failures by time and authentication type | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Authentication%20failures.yaml' | ||
| This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth | ||
| description-detailed: | | ||
| This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results. | ||
| Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - EmailEvents | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1566 | ||
| query: | | ||
| EmailEvents | ||
| | where Timestamp > ago (30d) | ||
| | project Timestamp, AR=parse_json(AuthenticationDetails), NetworkMessageId, EmailDirection, SenderFromAddress, ThreatTypes, DetectionMethods | ||
| | evaluate bag_unpack(AR) | ||
| | where DMARC == "fail" | ||
| | summarize count() by bin(Timestamp, 1d) | ||
| version: 1.0.0 |
20 changes: 19 additions & 1 deletion
20
...Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,22 @@ | ||
| id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72 | ||
| name: Spoof attempts with auth failure | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Spoof%20attempts%20with%20auth%20failure.yaml' | ||
| This query helps in checking for spoofing attempts on the domain with Authentication failures | ||
| description-detailed: | | ||
| This query helps in checking for spoofing attempts on the domain with Authentication failures. | ||
| Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - EmailEvents | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1566 | ||
| query: | | ||
| EmailEvents | ||
| | where Timestamp > ago (1d) and DetectionMethods contains "spoof" | ||
| | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames | ||
| | evaluate bag_unpack(AR) | ||
| | where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail" | ||
| version: 1.0.0 |
27 changes: 26 additions & 1 deletion
27
...ies/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,29 @@ | ||
| id: ba1a91ad-1f99-4386-b191-06a76ef213f8 | ||
| name: Audit Email Preview-Download action | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Audit%20Email%20Preview-Download%20action.yaml' | ||
| This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365 | ||
| description-detailed: | | ||
| This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365 | ||
| Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - CloudAppEvents | ||
| tactics: | ||
| - PrivilegeEscalation | ||
| relevantTechniques: | ||
| - T1078 | ||
| query: | | ||
| CloudAppEvents | ||
| | project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData) | ||
| | evaluate bag_unpack(AR) | ||
| | where RecordType == "38" and ExtendedProperties contains "DownloadEMail" or ExtendedProperties contains "GetMailPreviewUrl" | ||
| | serialize | ||
| | extend RowNumber = row_number() | ||
| | mv-expand ExtendedProperties | ||
| | evaluate bag_unpack(ExtendedProperties, 'xp_') | ||
| | extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '') | ||
| | summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber | ||
| | extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0]) | ||
| | project-away RowNumber | ||
| version: 1.0.0 |
18 changes: 17 additions & 1 deletion
18
Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,20 @@ | ||
| id: bc2d8214-afb6-4876-b210-25b69325b9b2 | ||
| name: Hunt for TABL changes | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Hunt%20for%20TABL%20changes.yaml' | ||
| This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365 | ||
| description-detailed: | | ||
| This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365 | ||
| Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - CloudAppEvents | ||
| tactics: | ||
| - DefenseEvasion | ||
| relevantTechniques: | ||
| - T1562 | ||
| query: | | ||
| CloudAppEvents | ||
| | where ActionType contains "TenantAllowBlockListItems" | ||
| | order by Timestamp desc | ||
| version: 1.0.0 |
18 changes: 17 additions & 1 deletion
18
...eries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,20 @@ | ||
| id: 712ffdd8-ddce-4372-85dd-063029b418cf | ||
| name: Local time to UTC time conversion | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Local%20time%20to%20UTC%20time%20conversion.yaml' | ||
| Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. | ||
| description-detailed: | | ||
| This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - EmailEvents | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1566 | ||
| query: | | ||
| EmailEvents | ||
| | where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid")) | ||
| | where DeliveryAction == "Delivered" | ||
| | where LatestDeliveryLocation == "Quarantine" | ||
| version: 1.0.0 |
64 changes: 63 additions & 1 deletion
64
...ries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,66 @@ | ||
| id: deb4b2c6-c10e-4044-8cf4-84243e40db73 | ||
| name: MDO daily detection summary report | ||
| description: | | ||
| 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/MDO%20daily%20detection%20summary%20report.yaml' | ||
| This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365 | ||
| description-detailed: | | ||
| This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result | ||
| Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about | ||
| requiredDataConnectors: | ||
| - connectorId: MicrosoftThreatProtection | ||
| dataTypes: | ||
| - CloudAppEvents | ||
| - AlertEvidence | ||
| - EmailEvents | ||
| - EmailPostDeliveryEvents | ||
| tactics: | ||
| - InitialAccess | ||
| relevantTechniques: | ||
| - T1566 | ||
| query: | | ||
| let QueryTime = 30d; | ||
| let Reports = CloudAppEvents | ||
| | where Timestamp > ago(QueryTime) | ||
| | where ActionType == "UserSubmission" or ActionType == "AdminSubmission" | ||
| | extend MessageDate = todatetime((parse_json(RawEventData)).MessageDate) | ||
| | extend NetworkMessageID = tostring((parse_json(RawEventData)).ObjectId) | ||
| | extend Date_value = tostring(format_datetime( MessageDate, "yyyy-MM-dd")) | ||
| | distinct Date_value,NetworkMessageID | ||
| | summarize count() by Date_value | ||
| | project Date_value, MessagesGotReported=count_; | ||
| let ThreatByAutomation = (AlertEvidence | where Title == "Email reported by user as malware or phish") | ||
| | extend LastVerdictfromAutomation = tostring((parse_json(AdditionalFields)).LastVerdict) | ||
| | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) | ||
| | extend DetectionFromAIR = iif(isempty(LastVerdictfromAutomation), "NoThreatsFound", tostring(LastVerdictfromAutomation)) | ||
| | summarize PostDeliveryTotalAIRInvestigations = count(), | ||
| PostDeliveryAirNoThreatsFound = countif(DetectionFromAIR contains "NoThreatsFound"), | ||
| PostDeliveryAirSuspicious = countif(DetectionFromAIR contains "Suspicious"), | ||
| PostDeliveryAirMalicious = countif(DetectionFromAIR contains "Malicious") | ||
| by Date_value //Date Reported from Message Submissions from CloudAppEvents does not match to the AIR Investigations from Alert playbooks | ||
| | project Date_value, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirSuspicious, PostDeliveryAirMalicious; | ||
| let DeliveryInboundEvents = (EmailEvents | where EmailDirection == "Inbound" and Timestamp > ago(QueryTime) | ||
| | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) | ||
| | project Date_value, Timestamp, NetworkMessageId, DetectionMethods ,RecipientEmailAddress); | ||
| let PostDeliveryEvents = (EmailPostDeliveryEvents | where ActionType contains "ZAP" and ActionResult == "Success"| join DeliveryInboundEvents on RecipientEmailAddress, NetworkMessageId //Only successful ZAP Events, there could still be more, join on Recipient and NetID | ||
| | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) //Zap Timestamp is used and not MessageDate received | ||
| | summarize PostDeliveryZAP=count() by Date_value); | ||
| let DeliveryByThreat = (DeliveryInboundEvents | ||
| | where Timestamp > ago(QueryTime) | ||
| | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) | ||
| | extend MDO_detection = parse_json(DetectionMethods) | ||
| | extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0])) | ||
| | extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)")) | ||
| | summarize TotalEmails = count(), | ||
| Clean = countif(FirstSubcategory contains "Clean"), | ||
| Malware = countif(FirstSubcategory contains "Malware"), | ||
| Phish = countif(FirstSubcategory contains "Phish"), | ||
| Spam = countif(FirstSubcategory contains "Spam" and FirstSubcategory !contains "Bulk"), | ||
| Bulk = countif(FirstSubcategory contains "Bulk") | ||
| by Date_value; | ||
| DeliveryByThreat | ||
| | join kind=fullouter Reports on Date_value | ||
| | join kind=fullouter PostDeliveryEvents on Date_value | ||
| | join kind=fullouter ThreatByAutomation on Date_value | ||
| | sort by Date_value asc | ||
| | project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious | ||
| | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date | ||
| version: 1.0.0 |
Oops, something went wrong.