diff --git a/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml b/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml index 097c07ebbdc..dfd7fef89c7 100644 --- a/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml +++ b/Solutions/Endpoint Threat Protection Essentials/Analytic Rules/MacroInvokingShellBrowserWindowCOMObjects.yaml @@ -1,8 +1,7 @@ id: e7470b35-0128-4508-bfc9-e01cfb3c2eb7 name: Detecting Macro Invoking ShellBrowserWindow COM Objects description: | - 'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules. - Ref: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html' + 'This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.' severity: Medium status: Available requiredDataConnectors: @@ -45,5 +44,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: User -version: 1.0.3 +version: 1.0.4 kind: Scheduled diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip b/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip new file mode 100644 index 00000000000..ee29b66421d Binary files /dev/null and b/Solutions/Endpoint Threat Protection Essentials/Package/3.0.5.zip differ diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json b/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json index c6787580ef4..0db86f62ca5 100644 --- a/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json +++ b/Solutions/Endpoint Threat Protection Essentials/Package/createUiDefinition.json @@ -142,7 +142,7 @@ "name": "analytic5-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html" + "text": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules." } } ] diff --git a/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json b/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json index f4de266f841..ca7fc3f2933 100644 --- a/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Endpoint Threat Protection Essentials/Package/mainTemplate.json @@ -33,7 +33,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Endpoint Threat Protection Essentials", - "_solutionVersion": "3.0.4", + "_solutionVersion": "3.0.5", "solutionId": "azuresentinel.azure-sentinel-solution-endpointthreat", "_solutionId": "[variables('solutionId')]", "huntingQueryObject1": { @@ -140,18 +140,18 @@ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50cbf34a-4cdd-45d7-b3f5-8b53a1d0d14f','-', '1.0.3')))]" }, "analyticRuleObject5": { - "analyticRuleVersion5": "1.0.3", + "analyticRuleVersion5": "1.0.4", "_analyticRulecontentId5": "e7470b35-0128-4508-bfc9-e01cfb3c2eb7", "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'e7470b35-0128-4508-bfc9-e01cfb3c2eb7')]", "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('e7470b35-0128-4508-bfc9-e01cfb3c2eb7')))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7470b35-0128-4508-bfc9-e01cfb3c2eb7','-', '1.0.3')))]" + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','e7470b35-0128-4508-bfc9-e01cfb3c2eb7','-', '1.0.4')))]" }, "analyticRuleObject6": { - "analyticRuleVersion6": "1.1.4", + "analyticRuleVersion6": "1.1.5", "_analyticRulecontentId6": "75bf9902-0789-47c1-a5d8-f57046aa72df", "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '75bf9902-0789-47c1-a5d8-f57046aa72df')]", "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('75bf9902-0789-47c1-a5d8-f57046aa72df')))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75bf9902-0789-47c1-a5d8-f57046aa72df','-', '1.1.4')))]" + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','75bf9902-0789-47c1-a5d8-f57046aa72df','-', '1.1.5')))]" }, "analyticRuleObject7": { "analyticRuleVersion7": "1.0.4", @@ -221,7 +221,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "BackupDeletion_HuntingQueries Hunting Query with template version 3.0.4", + "description": "BackupDeletion_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -306,7 +306,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Certutil-LOLBins_HuntingQueries Hunting Query with template version 3.0.4", + "description": "Certutil-LOLBins_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -391,7 +391,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FileExecutionWithOneCharacterInTheName_HuntingQueries Hunting Query with template version 3.0.4", + "description": "FileExecutionWithOneCharacterInTheName_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -476,7 +476,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PersistViaIFEORegistryKey_HuntingQueries Hunting Query with template version 3.0.4", + "description": "PersistViaIFEORegistryKey_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -561,7 +561,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialMicrosoftSecurityServicesTampering_HuntingQueries Hunting Query with template version 3.0.4", + "description": "PotentialMicrosoftSecurityServicesTampering_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -646,7 +646,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteLoginPerformedwithWMI_HuntingQueries Hunting Query with template version 3.0.4", + "description": "RemoteLoginPerformedwithWMI_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -731,7 +731,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe_HuntingQueries Hunting Query with template version 3.0.4", + "description": "RemoteScheduledTaskCreationUpdateUsingATSVCNamedPipe_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -816,7 +816,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ScheduledTaskCreationUpdateFromUserWritableDrectory_HuntingQueries Hunting Query with template version 3.0.4", + "description": "ScheduledTaskCreationUpdateFromUserWritableDrectory_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -901,7 +901,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SignedBinaryProxyExecutionRundll32_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SignedBinaryProxyExecutionRundll32_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -986,7 +986,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnicodeObfuscationInCommandLine_HuntingQueries Hunting Query with template version 3.0.4", + "description": "UnicodeObfuscationInCommandLine_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -1071,7 +1071,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousPowerShellCommandExecution_HuntingQueries Hunting Query with template version 3.0.4", + "description": "SuspiciousPowerShellCommandExecution_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -1156,7 +1156,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimProcess_CertutilLoLBins_HuntingQueries Hunting Query with template version 3.0.4", + "description": "ASimProcess_CertutilLoLBins_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -1241,7 +1241,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ASimProcess_WindowsSystemShutdownReboot_HuntingQueries Hunting Query with template version 3.0.4", + "description": "ASimProcess_WindowsSystemShutdownReboot_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -1326,7 +1326,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DownloadOfNewFileUsingCurl_HuntingQueries Hunting Query with template version 3.0.4", + "description": "DownloadOfNewFileUsingCurl_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -1411,7 +1411,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsFirewallUpdateUsingNetsh_HuntingQueries Hunting Query with template version 3.0.4", + "description": "WindowsFirewallUpdateUsingNetsh_HuntingQueries Hunting Query with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -1496,7 +1496,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -1524,28 +1524,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ @@ -1561,8 +1561,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Account" + "columnName": "Account", + "identifier": "Name" } ], "entityType": "Account" @@ -1570,16 +1570,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -1638,7 +1638,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DumpingLSASSProcessIntoaFile_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "DumpingLSASSProcessIntoaFile_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -1666,16 +1666,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -1691,16 +1691,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -1708,8 +1708,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "SourceImage" + "columnName": "SourceImage", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -1768,7 +1768,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1796,28 +1796,28 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ @@ -1833,8 +1833,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Account" + "columnName": "Account", + "identifier": "Name" } ], "entityType": "Account" @@ -1842,16 +1842,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -1910,7 +1910,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LateralMovementViaDCOM_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "LateralMovementViaDCOM_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1938,16 +1938,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -1963,8 +1963,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -1972,16 +1972,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -1989,8 +1989,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "User" + "columnName": "User", + "identifier": "Name" } ], "entityType": "Account" @@ -2049,7 +2049,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MacroInvokingShellBrowserWindowCOMObjects_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "MacroInvokingShellBrowserWindowCOMObjects_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -2063,7 +2063,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.\nRef: https://blog.menasec.net/2019/02/threat-hunting-doc-with-macro-invoking.html", + "description": "This query detects a macro invoking ShellBrowserWindow COM Objects evade naive parent/child Office detection rules.", "displayName": "Detecting Macro Invoking ShellBrowserWindow COM Objects", "enabled": false, "query": "Event\n | where EventLog =~ \"Microsoft-Windows-Sysmon/Operational\" and EventID==1\n | parse EventData with * 'Image\">' Image \"<\" * 'CommandLine\">' CommandLine \"<\" * 'ParentImage\">' ParentImage \"<\" *\n | where ParentImage has \"svchost.exe\" and Image has \"rundll32.exe\" and CommandLine has \"{c08afd90-f2a1-11d1-8455-00a0c91f3880}\"\n | parse EventData with * 'ProcessGuid\">' ProcessGuid \"<\" * 'Description\">' Description \"<\" * 'CurrentDirectory\">' CurrentDirectory \"<\" * 'User\">' User \"<\" * 'LogonGuid\">' LogonGuid \"<\" * 'ParentProcessGuid\">' ParentProcessGuid \"<\" * 'ParentImage\">' ParentImage \"<\" * 'ParentCommandLine\">' ParentCommandLine \"<\" * 'ParentUser\">' ParentUser \"<\" *\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description\n | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'')\n", @@ -2077,16 +2077,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2102,8 +2102,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -2111,16 +2111,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2128,8 +2128,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "User" + "columnName": "User", + "identifier": "Name" } ], "entityType": "Account" @@ -2188,7 +2188,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "malware_in_recyclebin_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "malware_in_recyclebin_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -2216,39 +2216,42 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvents" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ "DefenseEvasion" ], + "techniques": [ + "T1564" + ], "entityMappings": [ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Account" + "columnName": "Account", + "identifier": "Name" } ], "entityType": "Account" @@ -2256,16 +2259,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2324,7 +2327,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialRemoteDesktopTunneling_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "PotentialRemoteDesktopTunneling_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -2352,16 +2355,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2374,12 +2377,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -2387,16 +2390,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2404,8 +2407,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpAddress" + "columnName": "IpAddress", + "identifier": "Address" } ], "entityType": "IP" @@ -2464,7 +2467,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RegistryPersistenceViaAppCertDLLModification_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "RegistryPersistenceViaAppCertDLLModification_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -2492,16 +2495,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2517,8 +2520,8 @@ { "fieldMappings": [ { - "identifier": "Key", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -2526,16 +2529,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2594,7 +2597,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RegistryPersistenceViaAppInt_DLLsModification_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "RegistryPersistenceViaAppInt_DLLsModification_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -2622,16 +2625,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2647,8 +2650,8 @@ { "fieldMappings": [ { - "identifier": "Key", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -2656,16 +2659,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2724,7 +2727,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2752,22 +2755,22 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" }, { - "connectorId": "WindowsForwardedEvents", "dataTypes": [ "WindowsEvent" - ] + ], + "connectorId": "WindowsForwardedEvents" } ], "tactics": [ @@ -2780,12 +2783,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -2793,16 +2796,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2861,7 +2864,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WDigestDowngradeAttack_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "WDigestDowngradeAttack_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -2889,16 +2892,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -2911,8 +2914,8 @@ { "fieldMappings": [ { - "identifier": "Key", - "columnName": "TargetObject" + "columnName": "TargetObject", + "identifier": "Key" } ], "entityType": "RegistryKey" @@ -2920,16 +2923,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -2988,7 +2991,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsBinariesExecutedfromNon-DefaultDirectory_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "WindowsBinariesExecutedfromNon-DefaultDirectory_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -3016,16 +3019,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -3038,12 +3041,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -3051,16 +3054,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -3068,8 +3071,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -3128,7 +3131,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsBinariesLolbinsRenamed_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "WindowsBinariesLolbinsRenamed_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -3156,16 +3159,16 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "SecurityEvents" }, { - "connectorId": "WindowsSecurityEvents", "dataTypes": [ "SecurityEvent" - ] + ], + "connectorId": "WindowsSecurityEvents" } ], "tactics": [ @@ -3178,8 +3181,8 @@ { "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -3187,16 +3190,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -3204,8 +3207,8 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "User" + "columnName": "User", + "identifier": "Name" } ], "entityType": "Account" @@ -3264,7 +3267,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousPowerShellCommandExecuted_AnalyticalRules Analytics Rule with template version 3.0.4", + "description": "SuspiciousPowerShellCommandExecuted_AnalyticalRules Analytics Rule with template version 3.0.5", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -3292,10 +3295,10 @@ "status": "Available", "requiredDataConnectors": [ { - "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" - ] + ], + "connectorId": "MicrosoftThreatProtection" } ], "tactics": [ @@ -3308,16 +3311,16 @@ { "fieldMappings": [ { - "identifier": "FullName", - "columnName": "DeviceName" + "columnName": "DeviceName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "DvcHostname" + "columnName": "DvcHostname", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DvcDomain" + "columnName": "DvcDomain", + "identifier": "DnsDomain" } ], "entityType": "Host" @@ -3325,8 +3328,8 @@ { "fieldMappings": [ { - "identifier": "Address", - "columnName": "LocalIP" + "columnName": "LocalIP", + "identifier": "Address" } ], "entityType": "IP" @@ -3334,12 +3337,12 @@ { "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" } ], "entityType": "Account" @@ -3347,12 +3350,12 @@ { "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "InitiatingProcessId" + "columnName": "InitiatingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "InitiatingProcessCommandLine" + "columnName": "InitiatingProcessCommandLine", + "identifier": "CommandLine" } ], "entityType": "Process" @@ -3414,7 +3417,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.4", + "version": "3.0.5", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Endpoint Threat Protection Essentials", diff --git a/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md b/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md index d97eb5dc01f..6fe076672e9 100644 --- a/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md +++ b/Solutions/Endpoint Threat Protection Essentials/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|------------------------------------------------------------------------------| +| 3.0.5 | 18-11-2024 | Removed the broken URL in **Analytic Rule** | | 3.0.4 | 10-06-2024 | Added entityMappings and added missing AMA DC reference in **Analytical Rules** and **Hunting Queries** | | 3.0.3 | 11-03-2024 | Added few **Hunting Queries** to detect Endpoint Threats | | 3.0.2 | 21-02-2024 | Tagged for dependent solutions for deployment |