diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml index 24a262f8b54..1bfc617dab2 100644 --- a/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml +++ b/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml @@ -31,16 +31,15 @@ query: | | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR" | summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), column_ifexists('published_t', now()) | sort by column_ifexists('published_t', now()) desc - | extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: actor_alternateId_s - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.0 + columnName: ClientIP +version: 1.1.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml index 5e01ceade65..d73fa372603 100644 --- a/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml +++ b/Solutions/Okta Single Sign-On/Analytic Rules/LoginfromUsersfromDifferentCountrieswithin3hours.yaml @@ -18,7 +18,7 @@ triggerThreshold: 0 tactics: - InitialAccess relevantTechniques: - - T1078 + - T1078.004 query: | let timeframe = ago(3h); let threshold = 2; @@ -28,11 +28,10 @@ query: | | where outcome_result_s =~ "SUCCESS" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(column_ifexists('client_geographicalContext_country_s', int(null))) by actor_alternateId_s | where NumOfCountries >= threshold - | extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity -version: 1.1.0 + columnName: actor_alternateId_s +version: 1.1.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml b/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml index ee8b17e490c..346741e6b3b 100644 --- a/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml +++ b/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml @@ -18,7 +18,7 @@ triggerThreshold: 0 tactics: - CredentialAccess relevantTechniques: - - T1110 + - T1110.003 query: | let FailureThreshold = 15; let FailedEvents = OktaSSO @@ -31,12 +31,11 @@ query: | | summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), bin(TimeGenerated, 5m) | join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated | sort by TimeGenerated desc - | extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.0 + columnName: client_ipAddress_s +version: 1.1.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml index 110e00a0d2f..3c190dc5b2e 100644 --- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-NetworkBeaconing.yaml @@ -48,19 +48,18 @@ query: | | where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100 | where BeaconPercent > PercentBeaconThreshold - | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: SourceUserID - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: DeviceName - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.5 + columnName: DestinationIP +version: 1.0.6 kind: Scheduled \ No newline at end of file diff --git a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml index af0bd93a483..be34f7401b2 100644 --- a/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml +++ b/Solutions/PaloAlto-PAN-OS/Analytic Rules/PaloAlto-PortScanning.yaml @@ -48,19 +48,19 @@ query: | | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP | where count_ >= 10 | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction - | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: SourceUserID - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: DeviceName - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.7 + columnName: SourceIP +version: 1.0.8 kind: Scheduled diff --git a/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml b/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml index 1d44039f7f8..97e0606a506 100644 --- a/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml +++ b/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml @@ -22,15 +22,14 @@ query: | | where Messages contains "Login failed" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP | where count_ > threshold - | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.3 + columnName: Source_IP +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml b/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml index 9148ea8de04..df5a57c36cb 100644 --- a/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml +++ b/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml @@ -22,11 +22,10 @@ query: | | where Messages startswith "Login failed" | summarize dcount(User) by Computer, bin(TimeGenerated, 15m) | where dcount_User > threshold - | extend timestamp = TimeGenerated, HostCustomEntity = Computer entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.3 + columnName: Computer +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml b/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml index 2ab896ccdd7..97276f03d35 100644 --- a/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml +++ b/Solutions/QualysVM/Analytic Rules/HighNumberofVulnDetectedV2.yaml @@ -22,15 +22,14 @@ query: | | where Severity_s == "5" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress | where count_ >= threshold - | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: NetBios_s - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.1 + columnName: IPAddress +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml b/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml index 5e15ea3c722..8afe81922be 100644 --- a/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml +++ b/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml @@ -57,23 +57,22 @@ query: | | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url - | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: HostIP - entityType: URL fieldMappings: - identifier: Url - columnName: URLCustomEntity + columnName: Url - entityType: DNS fieldMappings: - identifier: DomainName columnName: domain -version: 1.0.3 +version: 1.0.4 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml b/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml index 2de2ef11dc7..9f8e52864de 100644 --- a/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml +++ b/Solutions/Recorded Future/Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml @@ -43,19 +43,19 @@ query: | | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP - | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url + entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: HostIP - entityType: URL fieldMappings: - identifier: Url - columnName: URLCustomEntity -version: 1.0.2 + columnName: Url +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml b/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml index d79ce62ccd4..bcf777f71b8 100644 --- a/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml +++ b/Solutions/Symantec Endpoint Protection/Analytic Rules/ExcessiveBlockedTrafficGeneratedbyUser.yaml @@ -33,19 +33,22 @@ query: | | where Action =~ "Blocked" | join kind=inner (NoteableEvents) on UserName | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName - | extend timestamp = StartTimeUtc, AccountCustomEntity = UserName, HostCustomEntity = ServerName, IPCustomEntity = LocalHostIpAddr entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: UserName - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: LocalHostIpAddr + - entityType: IP + fieldMappings: + - identifier: Address + columnName: RemoteHostIpAddr - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.2 + columnName: ServerName +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml b/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml index b888829e594..53d908d9ca6 100644 --- a/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml +++ b/Solutions/Symantec Endpoint Protection/Analytic Rules/MalwareDetected.yaml @@ -15,26 +15,26 @@ triggerThreshold: 0 tactics: - Execution relevantTechniques: - - T1204 + - T1204.002 query: | SymantecEndpointProtection | where LogType == "Agent Risk Logs" | where CategorySet == "Malware" | where ActualAction !contains "Cleaned" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType - | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr, HostCustomEntity = SrcHostName, AccountCustomEntity = UserName + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: UserName - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: SrcIpAddr - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity -version: 1.0.2 + columnName: SrcHostName +version: 1.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml b/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml index 4666f351e91..338df82e826 100644 --- a/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml +++ b/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml @@ -28,16 +28,15 @@ query: | | where RADIUSAuth =~ "Reject" | join kind=inner rejectedAccess on ClientIP | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User - | extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.3 + columnName: ClientIP +version: 1.0.4 status: Available kind: Scheduled \ No newline at end of file diff --git a/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml b/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml index 79e08e4ca03..c16f8cf2d2d 100644 --- a/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml +++ b/Solutions/Symantec VIP/Analytic Rules/ExcessiveFailedAuthenticationsfromInvalidInputs.yaml @@ -22,16 +22,15 @@ query: | | where RADIUSAuth =~ "Reject" | summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP | where Total > threshold - | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: User - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.3 + columnName: ClientIP +version: 1.0.4 status: Available kind: Scheduled \ No newline at end of file diff --git a/Solutions/SymantecProxySG/Analytic Rules/ExcessiveDeniedProxyTraffic.yaml b/Solutions/SymantecProxySG/Analytic Rules/ExcessiveDeniedProxyTraffic.yaml index 6bdfaf5df73..b0e87f077d0 100644 --- a/Solutions/SymantecProxySG/Analytic Rules/ExcessiveDeniedProxyTraffic.yaml +++ b/Solutions/SymantecProxySG/Analytic Rules/ExcessiveDeniedProxyTraffic.yaml @@ -24,15 +24,14 @@ query: | | where sc_filter_result =~ "DENIED" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host | where count_ > threshold - | extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: cs_host - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.4 + columnName: c_ip +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml b/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml index 75f706b9b77..309a9915243 100644 --- a/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml +++ b/Solutions/SymantecProxySG/Analytic Rules/UserAccessedSuspiciousURLCategories.yaml @@ -23,19 +23,19 @@ query: | | mv-expand cs_categories | where cs_categories has_any ("Suspicious","phishing", "hacking") | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer, tostring(cs_categories) - | extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: cs_userdn - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Computer - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.4 + columnName: c_ip +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml b/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml index 6927bddd8af..41409859ee1 100644 --- a/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml +++ b/Solutions/Threat Intelligence/Analytic Rules/Threat Intel Matches to GitHub Audit Logs.yaml @@ -42,15 +42,15 @@ query: | ) on $left.TI_ipEntity == $right.IPaddress | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, GitHubAudit_TimeGenerated, TI_ipEntity, IPaddress, Actor, Action, Country, OperationType, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress - | extend timestamp = GitHubAudit_TimeGenerated, IPCustomEntity = IPaddress, AccountCustomEntity = Actor + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Actor - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.4 + columnName: IPaddress +version: 1.0.5 kind: Scheduled \ No newline at end of file diff --git a/Solutions/VMware Carbon Black Cloud/Analytic Rules/CriticalThreatDetected.yaml b/Solutions/VMware Carbon Black Cloud/Analytic Rules/CriticalThreatDetected.yaml index 70768e6a864..4299f936656 100644 --- a/Solutions/VMware Carbon Black Cloud/Analytic Rules/CriticalThreatDetected.yaml +++ b/Solutions/VMware Carbon Black Cloud/Analytic Rules/CriticalThreatDetected.yaml @@ -23,15 +23,15 @@ query: | | extend eventTime = datetime(1970-01-01) + tolong(threatHunterInfo_time_d/1000) * 1sec | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, Threat_Name = threatHunterInfo_reportName_s, Device_Name = deviceInfo_deviceName_s, Internal_IP = deviceInfo_internalIpAddress_s, External_IP = deviceInfo_externalIpAddress_s, Threat_Score = threatHunterInfo_score_d | project-away count_ - | extend timestamp = StartTime, HostCustomEntity = Device_Name, IPCustomEntity = Internal_IP + entityMappings: - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: Device_Name - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.1 + columnName: Internal_IP +version: 1.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml b/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml index bffb2c37c88..dae7af5b04c 100644 --- a/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml +++ b/Solutions/VMware Carbon Black Cloud/Analytic Rules/KnownMalwareDetected.yaml @@ -21,19 +21,19 @@ query: | | extend eventTime = datetime(1970-01-01) + tolong(eventTime_d/1000) * 1sec | where targetApp_effectiveReputation_s =~ "KNOWN_MALWARE" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by eventTime, deviceDetails_deviceName_s, deviceDetails_deviceIpAddress_s, processDetails_fullUserName_s, processDetails_targetName_s - | extend timestamp = StartTime, AccountCustomEntity = processDetails_fullUserName_s, HostCustomEntity = deviceDetails_deviceName_s, IPCustomEntity = deviceDetails_deviceIpAddress_s + entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: processDetails_fullUserName_s - entityType: Host fieldMappings: - identifier: FullName - columnName: HostCustomEntity + columnName: deviceDetails_deviceName_s - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.1 + columnName: deviceDetails_deviceIpAddress_s +version: 1.0.2 kind: Scheduled \ No newline at end of file