Azure · v-atulyadav · Jan 3, 2025 · Dec 29, 2024 · Dec 29, 2024 · Dec 29, 2024
@@ -0,0 +1,93 @@
+{
+	"Name": "NetworkAccessAlerts",
+	"Properties": [
+		{
+			"Name": "TenantId",
+			"Type": "string"
+		},
+		{
+			"Name": "TimeGenerated",
+			"Type": "datetime"
+		},
+		{
+			"Name": "Id",
+			"Type": "string"
+		},
+		{
+			"Name": "DisplayName",
+			"Type": "string"
+		},
+		{
+			"Name": "Severity",
+			"Type": "string"
+		},
+		{
+			"Name": "ComponentName",
+			"Type": "string"
+		},
+		{
+			"Name": "DetectionTechnology",
+			"Type": "string"
+		},
+		{
+			"Name": "AlertType",
+			"Type": "string"
+		},
+		{
+			"Name": "Description",
+			"Type": "string"
+		},
+		{
+			"Name": "ProductName",
+			"Type": "string"
+		},
+		{
+			"Name": "PolicyId",
+			"Type": "string"
+		},
+		{
+			"Name": "LastActivityDateTime",
+			"Type": "datetime"
+		},
+		{
+			"Name": "FirstActivityDateTime",
+			"Type": "datetime"
+		},
+		{
+			"Name": "SourceSystem",
+			"Type": "string"
+		},
+		{
+			"Name": "Techniques",
+			"Type": "string"
+		},
+		{
+			"Name": "SubTechniques",
+			"Type": "string"
+		},
+		{
+			"Name": "ExtendedProperties",
+			"Type": "dynamic"
+		},
+		{
+			"Name": "RelatedResources",
+			"Type": "dynamic"
+		},
+		{
+			"Name": "IsPreview",
+			"Type": "bool"
+		},
+		{
+			"Name": "CreationDateTime",
+			"Type": "datetime"
+		},
+		{
+			"Name": "Type",
+			"Type": "string"
+		},
+		{
+			"Name": "VendorName",
+			"Type": "string"
+		}
+	]
+}
@@ -1,12 +1,13 @@
 id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
 name: GSA - Detect Connections Outside Operational Hours
-description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
+description: |
+  This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
 severity: High
 status: Available
 requiredDataConnectors:
   - connectorId: AzureActiveDirectory
     dataTypes:
-      - EnrichedMicrosoft365AuditLogs
+      - NetworkAccessTrafficLogs
 queryFrequency: 1h
 queryPeriod: 24h
 triggerOperator: gt
@@ -22,7 +23,7 @@ query: |
   let operational_start_hour = 8; // Start of operational hours (8 AM)
   let operational_end_hour = 18; // End of operational hours (6 PM)
   NetworkAccessTraffic
-  | where TimeGenerated between(starttime .. endtime)
+  | where TimeGenerated between (starttime .. endtime)
   | extend HourOfDay = datetime_part('hour', TimeGenerated)
   | where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour
   | project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId
@@ -36,5 +37,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
-kind: Scheduled
+version: 1.0.2
+kind: Scheduled
@@ -2,12 +2,13 @@ id: e3b6a9e7-4c3a-45e6-8baf-1d3bfa8e0c2b
 name: GSA - Detect Abnormal Deny Rate for Source to Destination IP
 description: |
   Identifies abnormal deny rate for specific source IP to destination IP based on the normal average and standard deviation learned during a configured period. This can indicate potential exfiltration, initial access, or C2, where an attacker tries to exploit the same vulnerability on machines in the organization but is being blocked by firewall rules.
-configurableParameters:
-  - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.
-  - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.
-  - binTime: Learning buckets time in hours. Default is set to 1 hour.
-  - minimumThreshold: Minimum threshold for alert. Default is set to 5.
-  - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.
+
+  Configurable Parameters:
+      - minimumOfStdsThreshold: The number of stds to use in the threshold calculation. Default is set to 3.
+      - learningPeriodTime: Learning period for threshold calculation in days. Default is set to 5.
+      - binTime: Learning buckets time in hours. Default is set to 1 hour.
+      - minimumThreshold: Minimum threshold for alert. Default is set to 5.
+      - minimumBucketThreshold: Minimum learning buckets threshold for alert. Default is set to 5.
 severity: Medium
 status: Available
 requiredDataConnectors:
@@ -30,11 +31,11 @@ query: |
   let MinThreshold = 5.0;
   let MinLearningBuckets = 5;
   let TrafficLogs = NetworkAccessTraffic
-    | where Action == 'Denied'
+    | where Action == "Denied"
     | where isnotempty(DestinationIp) and isnotempty(SourceIp);
   let LearningSrcIpDenyRate = TrafficLogs
     | where TimeGenerated between (ago(LearningPeriod + 1d) .. ago(1d))
-    | summarize count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp
+    | summarize count_ = count() by SourceIp, bin(TimeGenerated, BinTime), DestinationIp
     | summarize LearningTimeSrcIpDenyRateAvg = avg(count_), LearningTimeSrcIpDenyRateStd = stdev(count_), LearningTimeBuckets = count() by SourceIp, DestinationIp
     | where LearningTimeBuckets > MinLearningBuckets;
   let AlertTimeSrcIpDenyRate = TrafficLogs
@@ -44,7 +45,7 @@ query: |
     | join kind=leftouter (LearningSrcIpDenyRate) on SourceIp, DestinationIp
     | extend LearningThreshold = max_of(LearningTimeSrcIpDenyRateAvg + NumOfStdsThreshold * LearningTimeSrcIpDenyRateStd, MinThreshold)
     | where AlertTimeSrcIpDenyRateCount > LearningThreshold
-    | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold    
+    | project SourceIp, DestinationIp, AlertTimeSrcIpDenyRateCount, LearningThreshold
 entityMappings:
   - entityType: IP
     fieldMappings:
@@ -54,5 +55,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: DestinationIp
-version: 1.0.1
-kind: Scheduled
+version: 1.0.2
+kind: Scheduled
@@ -1,17 +1,17 @@
 id: f6a8d6a5-3e9f-47c8-a8d5-1b2b9d3b7d6a
 name: GSA - Detect Protocol Changes for Destination Ports
 description: |
-  Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline. This can indicate potential protocol misuse or configuration changes.
-
-Configurable Parameters:
-  - Learning period - the time range to establish the baseline. Default is set to 7 days.
-  - Run time - the time range for current analysis. Default is set to 1 day.
+  Identifies changes in the protocol used for specific destination ports, comparing the current runtime with a learned baseline.
+  This can indicate potential protocol misuse or configuration changes.
+  Configurable Parameters:
+  - Learning period: The time range to establish the baseline. Default is set to 7 days.
+  - Run time: The time range for current analysis. Default is set to 1 day.
 severity: Medium
 status: Available
 requiredDataConnectors:
   - connectorId: AzureActiveDirectory
     dataTypes:
-      - EnrichedMicrosoft365AuditLogs
+      - NetworkAccessTrafficLogs
 queryFrequency: 1h
 queryPeriod: 8d
 triggerOperator: gt
@@ -50,5 +50,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: FqdnCustomEntity
-version: 1.0.1
-kind: Scheduled
+version: 1.0.2
+kind: Scheduled
@@ -2,15 +2,15 @@ id: 82cfa6b9-5f7e-4b8b-8b2f-a63f21b7a7d1
 name: GSA - Detect Source IP Scanning Multiple Open Ports
 description: |
   Identifies a source IP scanning multiple open ports on Global Secure Access Firewall. This can indicate malicious scanning of ports by an attacker, trying to reveal open ports in the organization that can be compromised for initial access.
-Configurable Parameters:
-  - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
-  - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.
+    Configurable Parameters:
+    - Port scan time - the time range to look for multiple ports scanned. Default is set to 30 seconds.
+    - Minimum different ports threshold - alert only if more than this number of ports scanned. Default is set to 100.
 severity: Medium
 status: Available
 requiredDataConnectors:
   - connectorId: AzureActiveDirectory
     dataTypes:
-      - EnrichedMicrosoft365AuditLogs
+      - NetworkAccessTrafficLogs
 queryFrequency: 1d
 queryPeriod: 1d
 triggerOperator: gt
@@ -37,5 +37,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: DestinationFqdn
-version: 1.0.1
-kind: Scheduled
+version: 1.0.2
+kind: Scheduled
@@ -12,7 +12,6 @@
   ],
  "Analytic Rules": [
     "Analytic Rules/Identity - AfterHoursActivity.yaml",
-    "Analytic Rules/Identity - SharedSessions.yaml",
     "Analytic Rules/Office 365 - exchange_auditlogdisabled.yaml",
     "Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml",
     "Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml",