Merge pull request #7927 from Azure/UEBA_Essentials_ContentTesting3

UEBA_Essentials_HuntingQuery

Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml

@@ -1,11 +1,11 @@
 id: bb3bb9da-9598-4d1f-af78-7cc2fd413b0b
 name: Anomalous Sign-in Activity
 description: |
-    'Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Persistence. Umbreon, for example, creates valid users to provide access to the system.
-    The query below generates an output of successful Sign-in with one or more of the following indications:
+    'Adversaries may steal the credentials of a specific user or service account using credential access techniques or capture credentials earlier in their reconnaissance process through social engineering as a means of gaining persistence." Umbreon, for example, creates valid users to provide access to the system.
+    The query below generates an output of successful sign-in with one or more of the following indications:-
     - performed by new or recently dormant accounts
-    - where one or more features of the activitiy deviates from the user, his peers or the tenant profile
-    - performed by a user with Risk indicaiton from AAD'
+    - where one or more features of the activity deviate from the user, his peers, or the tenant's profile.
+    - performed by a user with risk information from AAD'
 requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
@@ -18,27 +18,33 @@ tactics:
 relevantTechniques:
   - T1078
 query: |
-
  BehaviorAnalytics
- | where ActionType == "Sign-in"
+ | where ActionType =~ "Sign-in"
  | where UsersInsights.IsNewAccount == True or UsersInsights.IsDormantAccount == True or ActivityInsights has "True"
- | join (
- SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != "none"
- ) on $left.SourceRecordId == $right._ItemId
- | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName),
- UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName)
+ | join kind = inner (
+ SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail !~ "none"
+ ) on $left.SourceRecordId == $right._ItemId 
+ | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserPrincipalName),
+ UserName = iff(UserName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserName)
  | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
- | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId
+ | extend Name=tostring(split(UserPrincipalName, "@")[0]), UPNSuffix=tostring(split(UserPrincipalName, "@")[1])
+ | extend Account_0_Name = Name
+ | extend Account_0_UPNSuffix = UPNSuffix
+ | extend IP_0_Address = SourceIPAddress
+ | extend AzureResource_0_ResourceId = ResourceId
 entityMappings:
   - entityType: Account
     fieldMappings:
-      - identifier: FullName
-        columnName: UserPrincipalName
+      - identifier: Name
+        columnName: Name
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
   - entityType: IP
     fieldMappings:
       - identifier: Address
         columnName: SourceIPAddress
   - entityType: AzureResource
     fieldMappings:
       - identifier: ResourceId
-        columnName: ResourceId
+        columnName: ResourceId
+version: 2.0.0

Solutions/UEBA Essentials/Hunting Queries/anomalousActionInTenant.yaml

@@ -1,7 +1,7 @@
 id: 9ba2b304-7767-4d54-b03c-b0161ae87cc7
 name: Anomalous action performed in tenant by privileged user
 description: |
-  'Shows activties that have never been executed in the tenant, performed by a user with high privileges.'
+  'Shows activities that have never been executed in the tenant, performed by a user with high privileges.'
 requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
@@ -11,10 +11,12 @@ relevantTechniques:
 query: |
   BehaviorAnalytics
   | where ActivityInsights.FirstTimeActionPerformedInTenant == True
-  | where UsersInsights.BlastRadius == 'High'
+  | where UsersInsights.BlastRadius =~ 'High'
   | extend AadUserId = UsersInsights.AccountObjectID
+  | extend Account_0_AadUserId = AadUserId
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: AadUserId
         columnName: AadUserId
+version: 2.0.0

Solutions/UEBA Essentials/Hunting Queries/dormantAccountActivityFromUncommonCountry.yaml

@@ -1,7 +1,7 @@
 id: 7c303408-f913-42f8-8d7b-9eb64a229c4d
 name: Dormant account activity from uncommon country
 description: |
-  'Shows dormant accounts (not active in last 180 days), that connect from a country for the first time and the country is uncommon in the tenant or is the first time the ISP is used.'
+  'Shows dormant accounts (not active in the last 180 days) that connect from a country for the first time and the country is uncommon in the tenant or is the first time the ISP is used.'
 requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
@@ -15,9 +15,10 @@ query: |
   | where ActivityInsights.CountryUncommonlyConnectedFromInTenant == True 
     or ActivityInsights.FirstTimeConnectionViaISPInTenant == True
   | extend AadUserId = UsersInsights.AccountObjectID
+  | extend Account_0_AadUserId = AadUserId
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: AadUserId
         columnName: AadUserId
-  
+version: 2.0.0

Solutions/UEBA Essentials/Hunting Queries/firstConnectionFromGroup.yaml

@@ -1,7 +1,7 @@
 id: 741fdf32-e002-4577-ac9b-839fb49f128e
 name: Anomalous connection from highly privileged user
 description: |
-  'Shows all users from a given department, which have high impact on the organization, who connected to a resource for the first time, and none of their peers accessed it'
+  'Shows all users from a given department, which have a high impact on the organization, who connected to a resource for the first time and none of their peers accessed it.'
 requiredDataConnectors:
   - connectorId: BehaviorAnalytics
     dataTypes:
@@ -10,20 +10,22 @@ requiredDataConnectors:
 tactics:
 relevantTechniques:
 query: |
-  let Group = 'Helpdesk';
-  IdentityInfo 
+  let Group = 'Helpdesk'; // Update this value as per your requirement
+  IdentityInfo
   | summarize arg_max(TimeGenerated, *) by AccountObjectId //get latest information
-  | where Department == Group
-  | where BlastRadius == 'High'
-  | join ( BehaviorAnalytics
-           | where ActivityType == 'LogOn'
-           | where ActionType == 'ResourceAccess' //filter for specific activties
+  | where Department =~ Group
+  | where BlastRadius =~ 'High'
+  | join kind=inner ( BehaviorAnalytics
+           | where ActivityType =~ 'LogOn'
+           | where ActionType =~ 'ResourceAccess' //filter for specific activties
            | where ActivityInsights.FirstTimeUserAccessedResource == True
            | where ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True )
   on $left.AccountUPN == $right.UserPrincipalName
   | extend AadUserId = UsersInsights.AccountObjectID
+  | extend Account_0_AadUserId = AadUserId
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: AadUserId
-        columnName: AadUserId
+        columnName: AadUserId
+version: 2.0.0