From 234e8ba85ad833ead0a741e863470d7db5d4c417 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Wed, 26 Apr 2023 18:14:06 +0530 Subject: [PATCH 1/3] UEBA_Essentials_HuntingQuery --- .../Anomalous Sign-in Activity.yaml | 36 +++++++++++-------- .../anomalousActionInTenant.yaml | 6 ++-- ...antAccountActivityFromUncommonCountry.yaml | 5 +-- .../firstConnectionFromGroup.yaml | 20 ++++++----- 4 files changed, 39 insertions(+), 28 deletions(-) diff --git a/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml b/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml index d925608f0a6..dbbb8db92f9 100644 --- a/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml +++ b/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml @@ -1,11 +1,11 @@ id: bb3bb9da-9598-4d1f-af78-7cc2fd413b0b name: Anomalous Sign-in Activity description: | - 'Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Persistence. Umbreon, for example, creates valid users to provide access to the system. - The query below generates an output of successful Sign-in with one or more of the following indications: + 'Adversaries may steal the credentials of a specific user or service account using credential access techniques or capture credentials earlier in their reconnaissance process through social engineering as a means of gaining persistence." Umbreon, for example, creates valid users to provide access to the system. + The query below generates an output of successful sign-in with one or more of the following indications: - performed by new or recently dormant accounts - - where one or more features of the activitiy deviates from the user, his peers or the tenant profile - - performed by a user with Risk indicaiton from AAD' + - where one or more features of the activity deviate from the user, his peers, or the tenant's profile. + - performed by a user with risk information from AAD' requiredDataConnectors: - connectorId: BehaviorAnalytics dataTypes: @@ -18,22 +18,27 @@ tactics: relevantTechniques: - T1078 query: | - BehaviorAnalytics - | where ActionType == "Sign-in" + | where ActionType =~ "Sign-in" | where UsersInsights.IsNewAccount == True or UsersInsights.IsDormantAccount == True or ActivityInsights has "True" | join ( - SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != "none" - ) on $left.SourceRecordId == $right._ItemId - | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserPrincipalName), - UserName = iff(UserName has "#EXT#",replace("_","@",tostring(split(UserPrincipalName, "#")[0])),UserName) - | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId - | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SourceIPAddress, ResourceCustomEntity = ResourceId + SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail !~ "none" + ) on $left.SourceRecordId == $right._ItemId + | extend UserPrincipalName1 = iff(UserPrincipalName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserPrincipalName), + UserName = iff(UserName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserName) + | project TimeGenerated, UserName, UserPrincipalName, UserPrincipalName1, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId + | extend Name=tostring(split(UserPrincipalName, "@")[0]), UPNSuffix=tostring(split(UserPrincipalName, "@")[1]) + | extend Account_0_Name = Name + | extend Account_0_UPNSuffix = UPNSuffix + | extend IP_0_Address = SourceIPAddress + | extend AzureResource_0_ResourceId = ResourceId entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: UserPrincipalName + - identifier: Name + columnName: Name + - identifier: UPNSuffix + columnName: UPNSuffix - entityType: IP fieldMappings: - identifier: Address @@ -41,4 +46,5 @@ entityMappings: - entityType: AzureResource fieldMappings: - identifier: ResourceId - columnName: ResourceId \ No newline at end of file + columnName: ResourceId +version: 2.0.0 \ No newline at end of file diff --git a/Solutions/UEBA Essentials/Hunting Queries/anomalousActionInTenant.yaml b/Solutions/UEBA Essentials/Hunting Queries/anomalousActionInTenant.yaml index 81d692270ff..122b6dff682 100644 --- a/Solutions/UEBA Essentials/Hunting Queries/anomalousActionInTenant.yaml +++ b/Solutions/UEBA Essentials/Hunting Queries/anomalousActionInTenant.yaml @@ -1,7 +1,7 @@ id: 9ba2b304-7767-4d54-b03c-b0161ae87cc7 name: Anomalous action performed in tenant by privileged user description: | - 'Shows activties that have never been executed in the tenant, performed by a user with high privileges.' + 'Shows activities that have never been executed in the tenant, performed by a user with high privileges.' requiredDataConnectors: - connectorId: BehaviorAnalytics dataTypes: @@ -11,10 +11,12 @@ relevantTechniques: query: | BehaviorAnalytics | where ActivityInsights.FirstTimeActionPerformedInTenant == True - | where UsersInsights.BlastRadius == 'High' + | where UsersInsights.BlastRadius =~ 'High' | extend AadUserId = UsersInsights.AccountObjectID + | extend Account_0_AadUserId = AadUserId entityMappings: - entityType: Account fieldMappings: - identifier: AadUserId columnName: AadUserId +version: 2.0.0 \ No newline at end of file diff --git a/Solutions/UEBA Essentials/Hunting Queries/dormantAccountActivityFromUncommonCountry.yaml b/Solutions/UEBA Essentials/Hunting Queries/dormantAccountActivityFromUncommonCountry.yaml index 895b2b7500b..bdbc6819e0b 100644 --- a/Solutions/UEBA Essentials/Hunting Queries/dormantAccountActivityFromUncommonCountry.yaml +++ b/Solutions/UEBA Essentials/Hunting Queries/dormantAccountActivityFromUncommonCountry.yaml @@ -1,7 +1,7 @@ id: 7c303408-f913-42f8-8d7b-9eb64a229c4d name: Dormant account activity from uncommon country description: | - 'Shows dormant accounts (not active in last 180 days), that connect from a country for the first time and the country is uncommon in the tenant or is the first time the ISP is used.' + 'Shows dormant accounts (not active in the last 180 days) that connect from a country for the first time and the country is uncommon in the tenant or is the first time the ISP is used.' requiredDataConnectors: - connectorId: BehaviorAnalytics dataTypes: @@ -15,9 +15,10 @@ query: | | where ActivityInsights.CountryUncommonlyConnectedFromInTenant == True or ActivityInsights.FirstTimeConnectionViaISPInTenant == True | extend AadUserId = UsersInsights.AccountObjectID + | extend Account_0_AadUserId = AadUserId entityMappings: - entityType: Account fieldMappings: - identifier: AadUserId columnName: AadUserId - +version: 2.0.0 diff --git a/Solutions/UEBA Essentials/Hunting Queries/firstConnectionFromGroup.yaml b/Solutions/UEBA Essentials/Hunting Queries/firstConnectionFromGroup.yaml index 10201017d45..6647bdd2967 100644 --- a/Solutions/UEBA Essentials/Hunting Queries/firstConnectionFromGroup.yaml +++ b/Solutions/UEBA Essentials/Hunting Queries/firstConnectionFromGroup.yaml @@ -1,7 +1,7 @@ id: 741fdf32-e002-4577-ac9b-839fb49f128e name: Anomalous connection from highly privileged user description: | - 'Shows all users from a given department, which have high impact on the organization, who connected to a resource for the first time, and none of their peers accessed it' + 'Shows all users from a given department, which have a high impact on the organization, who connected to a resource for the first time and none of their peers accessed it.' requiredDataConnectors: - connectorId: BehaviorAnalytics dataTypes: @@ -10,20 +10,22 @@ requiredDataConnectors: tactics: relevantTechniques: query: | - let Group = 'Helpdesk'; - IdentityInfo + let Group = 'Helpdesk'; // Update this value as per your requirement + IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId //get latest information - | where Department == Group - | where BlastRadius == 'High' - | join ( BehaviorAnalytics - | where ActivityType == 'LogOn' - | where ActionType == 'ResourceAccess' //filter for specific activties + | where Department =~ Group + | where BlastRadius =~ 'High' + | join kind=inner ( BehaviorAnalytics + | where ActivityType =~ 'LogOn' + | where ActionType =~ 'ResourceAccess' //filter for specific activties | where ActivityInsights.FirstTimeUserAccessedResource == True | where ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True ) on $left.AccountUPN == $right.UserPrincipalName | extend AadUserId = UsersInsights.AccountObjectID + | extend Account_0_AadUserId = AadUserId entityMappings: - entityType: Account fieldMappings: - identifier: AadUserId - columnName: AadUserId \ No newline at end of file + columnName: AadUserId +version: 2.0.0 \ No newline at end of file From b09dd93c2d9f13e12664645dac2052f3e6fe73d1 Mon Sep 17 00:00:00 2001 From: Varun Kohli <97222872+vakohl@users.noreply.github.com> Date: Fri, 28 Apr 2023 12:54:38 +0530 Subject: [PATCH 2/3] Updating Join kind --- .../Hunting Queries/Anomalous Sign-in Activity.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml b/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml index dbbb8db92f9..8a5569a50cc 100644 --- a/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml +++ b/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml @@ -21,12 +21,12 @@ query: | BehaviorAnalytics | where ActionType =~ "Sign-in" | where UsersInsights.IsNewAccount == True or UsersInsights.IsDormantAccount == True or ActivityInsights has "True" - | join ( + | join kind = inner ( SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail !~ "none" ) on $left.SourceRecordId == $right._ItemId - | extend UserPrincipalName1 = iff(UserPrincipalName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserPrincipalName), + | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserPrincipalName), UserName = iff(UserName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserName) - | project TimeGenerated, UserName, UserPrincipalName, UserPrincipalName1, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId + | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId | extend Name=tostring(split(UserPrincipalName, "@")[0]), UPNSuffix=tostring(split(UserPrincipalName, "@")[1]) | extend Account_0_Name = Name | extend Account_0_UPNSuffix = UPNSuffix @@ -47,4 +47,4 @@ entityMappings: fieldMappings: - identifier: ResourceId columnName: ResourceId -version: 2.0.0 \ No newline at end of file +version: 2.0.0 From 7cb6efe1690b33c87c5b5a7a240b144d58789561 Mon Sep 17 00:00:00 2001 From: Varun Kohli <97222872+vakohl@users.noreply.github.com> Date: Tue, 2 May 2023 09:56:10 +0530 Subject: [PATCH 3/3] Update Anomalous Sign-in Activity.yaml --- .../Hunting Queries/Anomalous Sign-in Activity.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml b/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml index 8a5569a50cc..50597c36c07 100644 --- a/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml +++ b/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml @@ -2,7 +2,7 @@ id: bb3bb9da-9598-4d1f-af78-7cc2fd413b0b name: Anomalous Sign-in Activity description: | 'Adversaries may steal the credentials of a specific user or service account using credential access techniques or capture credentials earlier in their reconnaissance process through social engineering as a means of gaining persistence." Umbreon, for example, creates valid users to provide access to the system. - The query below generates an output of successful sign-in with one or more of the following indications: + The query below generates an output of successful sign-in with one or more of the following indications:- - performed by new or recently dormant accounts - where one or more features of the activity deviate from the user, his peers, or the tenant's profile. - performed by a user with risk information from AAD'