From a0976f0f396b250f431c06c1637977f726cf3a04 Mon Sep 17 00:00:00 2001 From: Shain <45466083+shainw@users.noreply.github.com> Date: Fri, 29 Dec 2023 13:07:38 -0800 Subject: [PATCH] Removing custom entity mapping --- ...iscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml | 8 +++----- ...CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml | 7 +++---- .../CiscoUmbrellaCryptoMinerUserAgentDetected.yaml | 7 +++---- .../CiscoUmbrellaEmptyUserAgentDetected.yaml | 7 +++---- .../CiscoUmbrellaHackToolUserAgentDetected.yaml | 7 +++---- .../CiscoUmbrellaPowershellUserAgentDetected.yaml | 7 +++---- .../CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml | 7 +++---- ...UmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml | 8 +++----- .../CiscoUmbrellaRequestBlocklistedFileType.yaml | 8 +++----- .../CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml | 8 +++----- 10 files changed, 30 insertions(+), 44 deletions(-) diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml index 1be2bd717b8..3bd73de8044 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionNon-CorporatePrivateNetwork.yaml @@ -22,17 +22,15 @@ query: | | where DvcAction =~ 'Allowed' | where UrlCategory has_any ('Dynamic and Residential', 'Personal VPN') | project TimeGenerated, SrcIpAddr, Identities - | extend IPCustomEntity = SrcIpAddr - | extend AccountCustomEntity = Identities entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Identities - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.0 + columnName: SrcIpAddr +version: 1.1.1 kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml index af9fe5684db..8128be780c4 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaConnectionToUnpopularWebsiteDetected.yaml @@ -30,15 +30,14 @@ query: | | where Hostname !in (top_million_list) | extend Message = "Connect to unpopular website (possible malicious payload delivery)" | project Message, SrcIpAddr, DstIpAddr,UrlOriginal, TimeGenerated - | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal entityMappings: - entityType: URL fieldMappings: - identifier: Url - columnName: UrlCustomEntity + columnName: UrlOriginal - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.1 + columnName: SrcIpAddr +version: 1.1.2 kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml index 9deab783556..1c68613703e 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaCryptoMinerUserAgentDetected.yaml @@ -21,15 +21,14 @@ query: | | where HttpUserAgentOriginal contains "XMRig" or HttpUserAgentOriginal contains "ccminer" | extend Message = "Crypto Miner User Agent" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal - | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal entityMappings: - entityType: URL fieldMappings: - identifier: Url - columnName: UrlCustomEntity + columnName: UrlOriginal - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.1 + columnName: SrcIpAddr +version: 1.1.2 kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml index d7abed38c37..7babfba9c11 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaEmptyUserAgentDetected.yaml @@ -21,15 +21,14 @@ query: | | where HttpUserAgentOriginal == '' | extend Message = "Empty User Agent" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated - | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal entityMappings: - entityType: URL fieldMappings: - identifier: Url - columnName: UrlCustomEntity + columnName: UrlOriginal - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.1 + columnName: SrcIpAddr +version: 1.1.2 kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml index 348aecbd2ec..70af788b119 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaHackToolUserAgentDetected.yaml @@ -69,15 +69,14 @@ query: | | where HttpUserAgentOriginal has_any (user_agents) | extend Message = "Hack Tool User Agent" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal - | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal entityMappings: - entityType: URL fieldMappings: - identifier: Url - columnName: UrlCustomEntity + columnName: UrlOriginal - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.1 + columnName: SrcIpAddr +version: 1.1.2 kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml index 057c175a51c..ccf183cd359 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaPowershellUserAgentDetected.yaml @@ -22,15 +22,14 @@ query: | | where HttpUserAgentOriginal contains "WindowsPowerShell" | extend Message = "Windows PowerShell User Agent" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated,HttpUserAgentOriginal - | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal entityMappings: - entityType: URL fieldMappings: - identifier: Url - columnName: UrlCustomEntity + columnName: UrlOriginal - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.1 + columnName: SrcIpAddr +version: 1.1.2 kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml index 36e722141a8..ae0ec20855f 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaRareUserAgentDetected.yaml @@ -27,15 +27,14 @@ query: | | where HttpUserAgentOriginal !in (user_agents_list) | extend Message = "Rare User Agent" | project Message, SrcIpAddr, DstIpAddr, UrlOriginal, TimeGenerated, HttpUserAgentOriginal - | extend IPCustomEntity = SrcIpAddr, UrlCustomEntity = UrlOriginal entityMappings: - entityType: URL fieldMappings: - identifier: Url - columnName: UrlCustomEntity + columnName: UrlOriginal - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.1 + columnName: SrcIpAddr +version: 1.1.2 kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml index 789faa3de07..b63877d5f9d 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaRequestAllowedHarmfulMaliciousURICategory.yaml @@ -39,16 +39,14 @@ query: | UrlCategory contains 'Lingerie/Bikini' or UrlCategory contains 'Weapons' | project TimeGenerated, SrcIpAddr, Identities - | extend IPCustomEntity = SrcIpAddr - | extend AccountCustomEntity = Identities entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Identities - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.0 + columnName: SrcIpAddr +version: 1.1.1 kind: Scheduled diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml index 848fe39a4f0..a1de0a86fe2 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaRequestBlocklistedFileType.yaml @@ -24,16 +24,14 @@ query: | | extend Filename = extract(@'.*\/*\/(.*\.\w+)$', 1, UrlOriginal) | where file_ext in (file_ext_blocklist) | project TimeGenerated, SrcIpAddr, Identities, Filename - | extend IPCustomEntity = SrcIpAddr - | extend AccountCustomEntity = Identities entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Identities - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.0.0 + columnName: SrcIpAddr +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml b/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml index 44e4bb589e5..2a979542463 100644 --- a/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml +++ b/Detections/CiscoUmbrella/CiscoUmbrellaURIContainsIPAddress.yaml @@ -21,16 +21,14 @@ query: | | where DvcAction =~ 'Allowed' | where UrlOriginal matches regex @'\Ahttp:\/\/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.*' | project TimeGenerated, SrcIpAddr, Identities - | extend IPCustomEntity = SrcIpAddr - | extend AccountCustomEntity = Identities entityMappings: - entityType: Account fieldMappings: - identifier: FullName - columnName: AccountCustomEntity + columnName: Identities - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 1.1.0 + columnName: SrcIpAddr +version: 1.1.1 kind: Scheduled