Azure · ashwin-patil · Jan 3, 2025 · Dec 27, 2024 · Jan 2, 2025 · Jan 2, 2025
@@ -31,16 +31,15 @@ query: |
   | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR"
   | summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), column_ifexists('published_t', now())
   | sort by column_ifexists('published_t', now()) desc
-  | extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s
 
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: actor_alternateId_s
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.1.0
+        columnName: ClientIP
+version: 1.1.1
 kind: Scheduled
@@ -18,7 +18,7 @@ triggerThreshold: 0
 tactics:
   - InitialAccess
 relevantTechniques:
-  - T1078
+  - T1078.004
 query: |
   let timeframe = ago(3h);
   let threshold = 2;
@@ -28,11 +28,10 @@ query: |
   | where outcome_result_s =~ "SUCCESS"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumOfCountries = dcount(column_ifexists('client_geographicalContext_country_s', int(null))) by actor_alternateId_s
   | where NumOfCountries >= threshold
-  | extend timestamp = StartTime, AccountCustomEntity = actor_alternateId_s
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
-version: 1.1.0
+        columnName: actor_alternateId_s
+version: 1.1.1
 kind: Scheduled
@@ -18,7 +18,7 @@ triggerThreshold: 0
 tactics:
   - CredentialAccess
 relevantTechniques:
-  - T1110
+  - T1110.003
 query: |
   let FailureThreshold = 15;
   let FailedEvents = OktaSSO
@@ -31,12 +31,11 @@ query: |
   | summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), bin(TimeGenerated, 5m)
   | join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated
   | sort by TimeGenerated desc
-  | extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s
 
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.1.0
+        columnName: client_ipAddress_s
+version: 1.1.1
 kind: Scheduled
@@ -48,19 +48,18 @@ query: |
   | where TotalEvents > TotalEventsThreshold and MostFrequentTimeDeltaCount > MostFrequentTimeDeltaThreshold
   | extend BeaconPercent = MostFrequentTimeDeltaCount/toreal(TotalEvents) * 100
   | where BeaconPercent > PercentBeaconThreshold
-  | extend timestamp = TimeGenerated, IPCustomEntity = DestinationIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: SourceUserID
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: DeviceName
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.5
+        columnName: DestinationIP
+version: 1.0.6
 kind: Scheduled
@@ -48,19 +48,19 @@ query: |
   | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction, DestinationIP
   | where count_ >= 10
   | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), makeset(DestinationIP), totalcount = sum(count_) by DeviceName, SourceUserID, SourceIP, ApplicationProtocol, Reason, DestinationPort, Protocol, DeviceVendor, DeviceProduct, DeviceAction
-  | extend timestamp = StartTimeUtc, IPCustomEntity = SourceIP, AccountCustomEntity = SourceUserID, HostCustomEntity = DeviceName
+
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: SourceUserID
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: DeviceName
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.7
+        columnName: SourceIP
+version: 1.0.8
 kind: Scheduled
@@ -22,15 +22,14 @@ query: |
   | where Messages contains "Login failed"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
   | where count_ > threshold
-  | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: User
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.3
+        columnName: Source_IP
+version: 1.0.4
 kind: Scheduled
@@ -22,11 +22,10 @@ query: |
   | where Messages startswith "Login failed"
   | summarize dcount(User) by Computer, bin(TimeGenerated, 15m)
   | where dcount_User > threshold
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
-version: 1.0.3
+        columnName: Computer
+version: 1.0.4
 kind: Scheduled
@@ -22,15 +22,14 @@ query: |
   | where Severity_s == "5"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by NetBios_s, IPAddress
   | where count_ >= threshold
-  | extend timestamp = StartTime, HostCustomEntity = NetBios_s, IPCustomEntity = IPAddress
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: NetBios_s
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.1
+        columnName: IPAddress
+version: 1.0.2
 kind: Scheduled
@@ -57,23 +57,22 @@ query: |
   | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url
-  | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: HostIP
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: URLCustomEntity
+        columnName: Url
   - entityType: DNS
     fieldMappings:
       - identifier: DomainName
         columnName: domain 
-version: 1.0.3
+version: 1.0.4
 kind: Scheduled
@@ -43,19 +43,19 @@ query: |
   | where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime
   | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
   | project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, Url, AdditionalInformation, HostIP
-  | extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url
+
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: HostIP
   - entityType: URL
     fieldMappings:
       - identifier: Url
-        columnName: URLCustomEntity
-version: 1.0.2
+        columnName: Url
+version: 1.0.3
 kind: Scheduled
@@ -33,19 +33,22 @@ query: |
   | where Action =~ "Blocked"
   | join kind=inner (NoteableEvents) on UserName
   | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Total = count() by UserName, RuleName, ServerName, LocalHostIpAddr, LocalPortNumber, TrafficDirection, RemoteHostIpAddr, RemotePortNumber, ApplicationName
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = UserName, HostCustomEntity = ServerName, IPCustomEntity = LocalHostIpAddr
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: UserName
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: LocalHostIpAddr
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: RemoteHostIpAddr
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
-version: 1.0.2
+        columnName: ServerName
+version: 1.0.3
 kind: Scheduled
@@ -15,26 +15,26 @@ triggerThreshold: 0
 tactics:
   - Execution
 relevantTechniques:
-  - T1204
+  - T1204.002
 query: |
   SymantecEndpointProtection
   | where LogType == "Agent Risk Logs"
   | where CategorySet == "Malware"
   | where ActualAction !contains "Cleaned"
   | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by SrcIpAddr, SrcHostName, UserName, FilePath, ActualAction, CategorySet, CategoryType
-  | extend timestamp = StartTimeUtc, IPCustomEntity = SrcIpAddr, HostCustomEntity = SrcHostName, AccountCustomEntity = UserName
+
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: UserName
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: SrcIpAddr
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
-version: 1.0.2
+        columnName: SrcHostName
+version: 1.0.3
 kind: Scheduled
@@ -28,16 +28,15 @@ query: |
   | where RADIUSAuth =~ "Reject"
   | join kind=inner rejectedAccess on ClientIP
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User
-  | extend timestamp = StartTime, IPCustomEntity = ClientIP, AccountCustomEntity = User
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: User
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.3
+        columnName: ClientIP
+version: 1.0.4
 status: Available
 kind: Scheduled
@@ -22,16 +22,15 @@ query: |
   | where RADIUSAuth =~ "Reject"
   | summarize Total = count() by bin(TimeGenerated, 15m), User, ClientIP
   | where Total > threshold
-  | extend timestamp = TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = User
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: User
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.3
+        columnName: ClientIP
+version: 1.0.4
 status: Available
 kind: Scheduled
@@ -24,15 +24,14 @@ query: |
   | where sc_filter_result =~ "DENIED"
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by c_ip, cs_host
   | where count_ > threshold
-  | extend timestamp = StartTime, HostCustomEntity = cs_host, IPCustomEntity = c_ip
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: cs_host
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.4
+        columnName: c_ip
+version: 1.0.5
 kind: Scheduled
@@ -23,19 +23,19 @@ query: |
   | mv-expand cs_categories
   | where cs_categories has_any ("Suspicious","phishing", "hacking")
   | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by sc_filter_result, cs_userdn, c_ip, cs_host, Computer,  tostring(cs_categories)
-  | extend timestamp = StartTime, AccountCustomEntity = cs_userdn, IPCustomEntity = c_ip, HostCustomEntity = Computer
+
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: cs_userdn
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
+        columnName: Computer
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.4
+        columnName: c_ip
+version: 1.0.5
 kind: Scheduled