Merge pull request #9624 from Azure/Entity-Work-#5-Diana's-Half

entity mapping fixes
Azure · Dec 29, 2023 · ec65f47 · ec65f47
2 parents e99fa2b + ebb67b7
commit ec65f47
Show file tree

Hide file tree

Showing 15 changed files with 263 additions and 134 deletions.
diff --git a/Detections/MultipleDataSources/DisabledAccIPSigninWithRareRiskyOps.yaml b/Detections/MultipleDataSources/DisabledAccIPSigninWithRareRiskyOps.yaml
@@ -55,13 +55,13 @@ query: |
   | order by disabledAccountLoginAttempts
   // Break up the string of Succesfully signed into accounts into individual events
   | mvexpand successfulAccountSigninSet
-  | extend IPCustomEntity = IPAddress
+  | extend JoinedOnIp = IPAddress
   | join kind = inner (
         OfficeActivity
       | where TimeGenerated > timeRange
       | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule") and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount'))
       // Remove port from the end of the IP and/or square brackets around IP, if they exist 
-      | extend IPCustomEntity = case(
+      | extend JoinedOnIp = case(
         ClientIP matches regex @'\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\]-\d{1,5}', tostring(extract('\\[([0-9]+\\.[0-9]+\\.[0-9]+)\\]-[0-9]+', 1, ClientIP)),
         ClientIP matches regex @'\[((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\]', tostring(extract('\\[([0-9]+\\.[0-9]+\\.[0-9]+)\\]', 1, ClientIP)),  
         ClientIP matches regex @'(((25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]2[0-4][0-9]|[01]?[0-9][0-9]?))-\d{1,5}', tostring(extract('([0-9]+\\.[0-9]+\\.[0-9]+)-[0-9]+', 1, ClientIP)),
@@ -71,22 +71,25 @@ query: |
         ClientIP matches regex @'((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\d{1,3}(?:\.\d{1,3}){3})-\d{1,5}', tostring(extract('((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\\d{1,3}(?:\\.\\d{1,3}){3})-[0-9]+', 1, ClientIP)),
         ClientIP matches regex @'((?:[0-9a-fA-F]{1,4}::?){1,8}[0-9a-fA-F]{1,4}|\d{1,3}(?:\.\d{1,3}){3})', ClientIP,
         "")
-      | where isnotempty(IPCustomEntity)
+      | where isnotempty(JoinedOnIp)
       | extend OfficeTimeStamp = ElevationTime, UserPrincipalName = UserId
-  ) on IPCustomEntity
+  ) on JoinedOnIp
   // Rare and risky operations only happen within a certain time range of the successful sign-in
   | where OfficeTimeStamp >= successSigninStart and datetime_diff('day', OfficeTimeStamp, successSigninEnd) <= timeBuffer
+  | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
         columnName: UserPrincipalName
       - identifier: Name
-        columnName: AppDisplayName
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
+        columnName: JoinedOnIp
   - entityType: IP
     fieldMappings:
       - identifier: Address
@@ -99,7 +102,7 @@ entityMappings:
     fieldMappings:
       - identifier: AppId
         columnName: ApplicationId
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
 metadata:
     source:

diff --git a/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml b/Detections/MultipleDataSources/GainCodeExecutionADFSviaWMI.yaml
@@ -77,7 +77,10 @@ query: |
   // This can be commented out or altered to filter out known internal uses
   | where CommandLine has_any ('rundll32') 
   | project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account
+  | extend timestamp = TimeGenerated
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
+  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
   // Search for recent logons to identify lateral movement
   | join kind= inner
   (SecurityEvent
@@ -103,7 +106,10 @@ query: |
   | extend Account = strcat(EventData.TargetDomainName,"\\", EventData.TargetUserName)
   | extend TargetLogonId = tostring(EventData.TargetLogonId)
   | project TimeGenerated, TargetAccount, CommandLine, Computer, Account, TargetLogonId
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = Account
+  | extend timestamp = TimeGenerated
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
+  | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1])
   // Search for recent logons to identify lateral movement
   | join kind= inner
   (WindowsEvent
@@ -129,25 +135,36 @@ query: |
   | extend Key=tostring(['@Name']), Value=['#text']
   | evaluate pivot(Key, any(Value), TimeGenerated, Source, EventLog, Computer, EventLevel, EventLevelName, UserName, RenderedDescription, MG, ManagementGroupName, Type, _ResourceId)
   | project TimeGenerated, EventType, Image, Computer, UserName
-  | extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = UserName
+  | extend timestamp = TimeGenerated
+  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
+  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
+  | extend AccountName = tostring(split(UserName, "\\")[0]), AccountNTDomain = tostring(split(UserName, "\\")[1])
   )
   )
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: UserName
+      - identifier: Name
+        columnName: AccountName
+      - identifier: NTDomain
+        columnName: AccountNTDomain
   - entityType: Host
     fieldMappings:
       - identifier: FullName
-        columnName: HostCustomEntity
-version: 1.1.2
+        columnName: Computer
+      - identifier: HostName
+        columnName: HostName
+      - identifier: NTDomain
+        columnName: HostNameDomain
+version: 1.1.3
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: jannieli
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

diff --git a/Detections/MultipleDataSources/HostAADCorrelation.yaml b/Detections/MultipleDataSources/HostAADCorrelation.yaml
@@ -71,7 +71,8 @@ query: |
   | where ResultType in ("0", "50125", "50140")
   | where IPAddress in (win_fails) or IPAddress in (nix_fails) or IPAddress in (wef_fails)
   | extend Reason=  "Multiple failed host logins from IP address with successful Azure AD login"
-  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress, Type = Type
+  | extend timestamp = TimeGenerated, Type = Type
+  | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
   };
   let aadSignin = aadFunc("SigninLogs");
   let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
@@ -80,18 +81,22 @@ entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: UserPrincipalName
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.1.4
+        columnName: IPAddress
+version: 1.1.5
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: Pete Bryan
+        name: Microsoft Security Research
     support:
         tier: Community
     categories:

diff --git a/Detections/MultipleDataSources/MailBoxTampering.yaml b/Detections/MultipleDataSources/MailBoxTampering.yaml
@@ -63,24 +63,29 @@ query: |
   | project TimeGenerated, ActivityDisplayName, AADOperationType, Initiatedby, TargetAccount, BuiltinRole, CustomGroup, LoggedByService, Result, ResourceId, Id
   | sort by TimeGenerated desc
   ) on $left.UserId == $right.Initiatedby
-  | project AADOperationType, ActivityDisplayName,AccountCustomEntity=Initiatedby, Id,ResourceId,IPCustomEntity=IpAddress
-
+  | extend AccountName = tostring(split(Initiatedby, "@")[0]), AccountUPNSuffix = tostring(split(Initiatedby, "@")[1])
+  | project AADOperationType, ActivityDisplayName,AccountName, AccountUPNSuffix, Id,ResourceId,IpAddress
+  
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: FullName
-        columnName: AccountCustomEntity
+        columnName: Initiatedby
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.1
+        columnName: IpAddress
+version: 1.0.2
 kind: Scheduled
 metadata:
     source:
         kind: Community
     author:
-        name: Pete Bryan
+        name: Microsoft Security Research
     support:
         tier: Community
     categories: