Merge branch 'master' into solution/GreyNoise-1

Azure · Sep 7, 2023 · b749921 · b749921
2 parents 622377c + aea89e0
commit b749921
Show file tree

Hide file tree

Showing 186 changed files with 14,657 additions and 7,348 deletions.
diff --git a/.github/workflows/checkAutomatedPR.yaml b/.github/workflows/checkAutomatedPR.yaml
@@ -30,7 +30,7 @@ jobs:
         id: ValidateAutomatedPR
 
         run: |
-          $prBodyContent = "${{ env.BODY }}"
+          $prBodyContent = '${{ env.BODY }}'
           $isAutomatedPR = $false
           if ($prBodyContent -like '*Automation have successfully*')
           {

diff --git a/.script/tests/KqlvalidationsTests/CustomTables/MailGuard365_Threats_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/MailGuard365_Threats_CL.json
@@ -0,0 +1,133 @@
+{
+    "Name": "MailGuard365_Threats_CL",
+    "Properties": [
+        {
+            "Name": "TenantId",
+            "Type": "String"
+        },
+        {
+            "Name": "SourceSystem",
+            "Type": "String"
+        },
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "MessageId_s",
+            "Type": "String"
+        },
+        {
+            "Name": "HeaderMessageId_s",
+            "Type": "String"
+        },
+        {
+            "Name": "UserId_g",
+            "Type": "String"
+        },
+        {
+            "Name": "CustomerTenantId_g",
+            "Type": "String"
+        },
+        {
+            "Name": "Score_d",
+            "Type": "Real"
+        },
+        {
+            "Name": "Virus_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "Category",
+            "Type": "String"
+        },
+        {
+            "Name": "Attachments_s",
+            "Type": "String"
+        },
+        {
+            "Name": "Sender_Email_s",
+            "Type": "Double"
+        },
+        {
+            "Name": "Sender_Domain_s",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "Recipients_s",
+            "Type": "String"
+        },
+        {
+            "Name": "ReceivedHeaders_s",
+            "Type": "String"
+        },
+        {
+            "Name": "SenderHeader_s",
+            "Type": "String"
+        },
+        {
+            "Name": "ToHeader_s",
+            "Type": "Guid"
+        },
+        {
+            "Name": "CcHeader_s",
+            "Type": "String"
+        },
+        {
+            "Name": "Subject_s",
+            "Type": "String"
+        },
+        {
+            "Name": "OriginCountry_s",
+            "Type": "String"
+        },
+        {
+            "Name": "MessageDate_t",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "MessageSize_d",
+            "Type": "Real"
+        },
+        {
+            "Name": "Action_s",
+            "Type": "String"
+        },
+        {
+            "Name": "ReceivedDateTime_d",
+            "Type": "Real"
+        },
+        {
+            "Name": "ForefrontAntiSpam_s",
+            "Type": "String"
+        },
+        {
+            "Name": "MicrosoftAntiSpam_s",
+            "Type": "String"
+        },
+        {
+            "Name": "IsInWhiteList_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "IsInBlackList_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "Email_s",
+            "Type": "String"
+        },
+        {
+            "Name": "HasAttachment_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "HasImage_b",
+            "Type": "Bool"
+        },
+        {
+            "Name": "Type",
+            "Type": "String"
+        }
+    ]
+}
diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@@ -197,5 +197,8 @@
   "DynatraceAuditLogs",
   "DynatraceProblems",
   "MicrosoftDefenderThreatIntelligence",
-  "CortexXDR"
+  "CortexXDR",
+  "PingFederateAma",
+  "vArmourACAma",
+  "ContrastProtectAma"
 ]
diff --git a/.script/utils/workbookCheckers/WorkbookPreviewImageValidationSkipList.json b/.script/utils/workbookCheckers/WorkbookPreviewImageValidationSkipList.json
@@ -17,6 +17,11 @@
     "RecordedFutureDomainC2DNSWorkbook",
     "vCenter",
     "RecordedFutureIPActiveC2Workbook",
-    "Fortiweb-workbook"
+    "Fortiweb-workbook",
+    "SecurityBridgeWorkbook",
+    "NCProtectWorkbook",
+    "SAP-Monitors-AlertsandPerformance",
+    "SAP-SecurityAuditlogandInitialAccess",
+    "SAP-AuditControls"
   ]
 }
diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
@@ -248,7 +248,7 @@ DstZone,string,Optional,WebSession,,,
 Duration,int,Alias,Dns,,,DnsNetworkDuration
 Duration,int,Alias,NetworkSession,,,NetworkDuration
 Duration,int,Alias,WebSession,,,NetworkDuration
-Duration,string,Alias,Dhcp,,,DhcpSessionDuration
+Duration,int,Alias,Dhcp,,,DhcpSessionDuration
 Dvc,string,Mandatory,AuditEvent,,,
 Dvc,string,Mandatory,Authentication,,,
 Dvc,string,Mandatory,Common,,,

diff --git a/DataConnectors/O365 Data/O365APItoAS-Template.zip b/DataConnectors/O365 Data/O365APItoAS-Template.zip
diff --git a/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1 b/DataConnectors/O365 Data/O365APItoAS-Template/TimerTrigger/run.ps1
@@ -159,9 +159,10 @@ function Get-AuthToken{
             [string]$TenantGUID
         )
     # Create app of type Web app / API in Azure AD, generate a Client Secret, and update the client id and client secret here
-    $loginURL = "$env:loginEndpoint"
+    if ([string]::IsNullOrEmpty($loginURL)){$loginURL = "https://login.microsoftonline.com/"}
     # Get the tenant GUID from Properties | Directory ID under the Azure Active Directory section
-    $resource = "https://$env:managementApi"
+
+    $resource = "https://$managementApi"
     # auth
     $body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
     $oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
@@ -185,7 +186,7 @@ function Get-O365Data{
     $contentTypes = $env:contentTypes.split(",")
     #Loop for each content Type like Audit.General
     foreach($contentType in $contentTypes){
-        $listAvailableContentUri = "https://$env:managementApi/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$env:publisher&startTime=$startTime&endTime=$endTime"
+        $listAvailableContentUri = "https://$managementApi/api/v1.0/$tenantGUID/activity/feed/subscriptions/content?contentType=$contentType&PublisherIdentifier=$env:publisher&startTime=$startTime&endTime=$endTime"
         do {
             #List Available Content
             $contentResult = Invoke-RestMethod -Method GET -Headers $headerParams -Uri $listAvailableContentUri
@@ -249,7 +250,22 @@ if (-Not [string]::IsNullOrEmpty($LAURI)){
 		Exit
 	}
 }
-
+$LoginURL = $env:loginEndpoint
+if (-Not [string]::IsNullOrEmpty($LoginURL)){
+	if($LoginURL.Trim() -notin @("https://login.microsoftonline.us","https://login.partner.microsoftonline.cn","https://login.microsoftonline.com"))
+	{
+		Write-Error -Message "MCASActivity-SecurityEvents: Invalid Login Endpoint Uri." -ErrorAction Stop
+		Exit
+	}
+}
+$managementApi = $env:managementApi
+if (-Not [string]::IsNullOrEmpty($managementApi)){
+	if($managementApi.Trim() -notin @("manage.office.com","manage-gcc.office.com","manage.office365.us","manage.protection.apps.mil"))
+	{
+		Write-Error -Message "MCASActivity-SecurityEvents: Invalid Management API Endpoint." -ErrorAction Stop
+		Exit
+	}
+} else {$managementApi = "manage.office.com"}
 
 #add last run time to blob file to ensure no missed packages
 $endTime = $currentUTCtime | Get-Date -Format yyyy-MM-ddTHH:mm:ss

diff --git a/DataConnectors/Templates/Connector_UploadIndicatorsAPI_template.json b/DataConnectors/Templates/Connector_UploadIndicatorsAPI_template.json
@@ -22,7 +22,7 @@
             "lastDataReceivedQuery": "ThreatIntelligenceIndicator| where isnotempty(TimeGenerated) and SourceSystem == 'PROVIDER SOURCE SYSTEM NAME' | summarize Time = max(TimeGenerated)"
         }
     ],
-    "connectivityCriteria": [
+    "connectivityCriterias": [
         {
             "type": "IsConnectedQuery",
             "value": [
@@ -78,4 +78,4 @@
             ]
         }
     ]
-}
+}
diff --git a/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml b/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml
@@ -38,11 +38,12 @@ query: |
   | join kind=inner (
       SigninLogs
       | where TimeGenerated > ago(query_period)
+      | where ResultType == 0
       | summarize take_any(*) by UserPrincipalName
       | extend ParsedUserPrincipalName = translate("@", "_", UserPrincipalName)
       | project SigninLogs_TimeGenerated = TimeGenerated, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails, AppDisplayName, ResourceDisplayName, ClientAppUsed, UserAgent, DeviceDetail, UserId, UserType, OriginalRequestId, ParsedUserPrincipalName
       ) on $left.ParsedDeletedUserPrincipalName == $right.ParsedUserPrincipalName
-  | where Delete_TimeGenerated > SigninLogs_TimeGenerated
+  | where SigninLogs_TimeGenerated > Delete_TimeGenerated
   | project-away ParsedDeletedUserPrincipalName, ParsedUserPrincipalName
   | extend
       AccountName = tostring(split(UserPrincipalName, "@")[0]),
@@ -58,7 +59,7 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
 metadata:
     source:

diff --git a/Logos/Commvault-Logo.svg b/Logos/Commvault-Logo.svg
diff --git a/Logos/MailGuard365_logo.svg b/Logos/MailGuard365_logo.svg