Azure · v-prasadboke · Aug 24, 2023 · Sep 11, 2023 · Sep 14, 2023 · Sep 17, 2023
@@ -7,7 +7,10 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_dns
+      - Corelight_v2_dns_red
+      - corelight_dns
+      - corelight_dns_red
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -16,16 +19,15 @@ tactics:
   - CommandAndControl
 query: |
   let threshold = 25;
-  Corelight
-  | where EventType =~ 'dns'
-  | where DnsResponseCodeName in~ ('NXDOMAIN', 'SERVFAIL')
-  | summarize count() by DnsQueryName, SrcIpAddr, bin(TimeGenerated, 5m)
+  union corelight_dns, corelight_dns_red
+  // rcodes: SERVFAIL=2, NXDOMAIN=3
+  | where rcode in (2, 3)
+  | summarize count() by query, id_orig_h, bin(TimeGenerated, 5m)
   | where count_ > threshold
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,8 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_http
+      - corelight_http
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -18,15 +19,13 @@ tactics:
 relevantTechniques:
   - T1090 
 query: |
-  Corelight
-  | where EventType =~ 'http'
-  | where isnotempty(HttpProxiedHeaders)
-  | where ipv4_is_private(SrcIpAddr) == 'False'
-  | extend IPCustomEntity = SrcIpAddr
+  corelight_http
+  | where isnotempty(proxied)
+  | where not(ipv4_is_private(id_orig_h))
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,10 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_conn
+      - Corelight_v2_conn_red
+      - corelight_conn
+      - corelight_conn_red
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -17,16 +20,14 @@ tactics:
 relevantTechniques:
   - T1187
 query: |
-  Corelight
-  | where EventType =~ 'conn'
-  | where ZeekConnLocalSrc == 'True'
-  | where ZeekConnLocalDst == 'False'
-  | where NetworkConnectionHistory hasprefix 'Sh' and NetworkApplication hasprefix 'smb'
-  | extend IPCustomEntity = SrcIpAddr
+  union corelight_conn, corelight_conn_red
+  | where local_orig == true
+  | where local_resp == false
+  | where history hasprefix 'Sh' and service hasprefix 'smb'
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,8 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_http
+      - corelight_http
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -16,18 +17,16 @@ tactics:
   - Exfiltration
 query: |
   let threshold = 25;
-  Corelight
-  | where EventType =~ 'http'
-  | where HttpRequestMethod in~ ('POST', 'PUT')
-  | where isempty(HttpReferrerOriginal)
-  | where SrcMimeType in~ ('application/vnd.ms-cab-compressed', 'application/warc', 'application/x-7z-compressed', 'application/x-ace', 'application/x-arc', 'application/x-archive', 'application/x-arj', 'application/x-compress', 'application/x-cpio', 'application/x-dmg', 'application/x-eet', 'application/x-gzip', 'application/x-lha', 'application/x-lrzip', 'application/x-lz4', 'application/x-lzma', 'application/x-lzh', 'application/x-lzip', 'application/x-rar', 'application/x-rpm', 'application/x-stuffit', 'application/x-tar', 'application/x-xz', 'application/x-zoo', 'application/zip')
-  | summarize count() by UrlOriginal, SrcIpAddr, bin(TimeGenerated, 15m)
+  corelight_http
+  | where method in~ ('POST', 'PUT')
+  | where isempty(referrer)
+  | where orig_mime_types has_any ('application/vnd.ms-cab-compressed', 'application/warc', 'application/x-7z-compressed', 'application/x-ace', 'application/x-arc', 'application/x-archive', 'application/x-arj', 'application/x-compress', 'application/x-cpio', 'application/x-dmg', 'application/x-eet', 'application/x-gzip', 'application/x-lha', 'application/x-lrzip', 'application/x-lz4', 'application/x-lzma', 'application/x-lzh', 'application/x-lzip', 'application/x-rar', 'application/x-rpm', 'application/x-stuffit', 'application/x-tar', 'application/x-xz', 'application/x-zoo', 'application/zip')
+  | summarize count() by uri, id_orig_h, bin(TimeGenerated, 15m)
   | where count_ > threshold
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,8 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_http
+      - corelight_http
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -19,18 +20,16 @@ relevantTechniques:
 query: |
   let threshold = 25;
   let fl_size_threshold = 10000000;
-  Corelight
-  | where EventType =~ 'http'
-  | where HttpRequestMethod in~ ('POST', 'PUT')
-  | where isempty(HttpReferrerOriginal)
-  | where tolong(HttpRequestBodyBytes) > fl_size_threshold
-  | summarize count() by UrlOriginal, SrcIpAddr, bin(TimeGenerated, 15m)
+  corelight_http
+  | where method in~ ('POST', 'PUT')
+  | where isempty(referrer)
+  | where tolong(request_body_len) > fl_size_threshold
+  | summarize count() by uri, id_orig_h, bin(TimeGenerated, 15m)
   | where count_ > threshold
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,10 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_conn
+      - Corelight_v2_conn_red
+      - corelight_conn
+      - corelight_conn_red
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -18,19 +21,17 @@ relevantTechniques:
   - T1566
 query: |
   let threshold = 25;
-  Corelight
-  | where EventType =~ 'conn'
-  | where ZeekConnLocalSrc == 'True'
-  | where ZeekConnLocalDst == 'True'
-  | where NetworkConnectionState in~ ('S0', 'REJ')
-  | where NetworkConnectionHistory !contains 'D'
-  | summarize count() by SrcIpAddr, DstPort, bin(TimeGenerated, 1m)
+  union corelight_conn, corelight_conn_red
+  | where local_resp == true
+  | where local_orig == true
+  | where conn_state in~ ('S0', 'REJ')
+  | where history !contains 'D'
+  | summarize count() by id_orig_h, id_resp_p, bin(TimeGenerated, 1m)
   | where count_ > threshold
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,8 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_http
+      - corelight_http
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -17,18 +18,16 @@ tactics:
 relevantTechniques:
   - T1505
 query: |
-  Corelight
-  | where EventType =~ 'http'
-  | where HttpRequestMethod in~ ('POST', 'PUT')
-  | where toint(HttpStatusCode) between (200 .. 299)
-  | where HttpRequestBodyBytes != 0 or HttpResponseBodyBytes != 0
-  | extend fe = extract(@'.*(\.\w+)$', 1, UrlOriginal)
+  corelight_http
+  | where method in~ ('POST', 'PUT')
+  | where toint(status_code) between (200 .. 299)
+  | where request_body_len != 0 or response_body_len != 0
+  | extend fe = extract(@'.*(\.\w+)$', 1, uri)
   | where fe in~ ('.jpg', '.jpeg', '.gif', '.png', '.icon', '.ico', '.xml', '.swf', '.svg', '.ppt', '.pttx', '.doc', '.docx', '.rtf', '.pdf', '.tif', '.zip', '.mov')
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,8 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_http
+      - corelight_http
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -18,20 +19,18 @@ relevantTechniques:
   - T1505
 query: |
   let threshold = 3;
-  Corelight
-  | where EventType =~ 'http'
-  | where HttpRequestMethod in~ ('POST', 'PUT')
-  | where toint(HttpStatusCode) !between (400 .. 499)
-  | where HttpRequestBodyBytes != 0 or HttpResponseBodyBytes != 0
-  | extend fe = extract(@'.*(\.\w+)$', 1, UrlOriginal)
+  corelight_http
+  | where method in~ ('POST', 'PUT')
+  | where toint(status_code) !between (400 .. 499)
+  | where request_body_len != 0 or response_body_len != 0
+  | extend fe = extract(@'.*(\.\w+)$', 1, uri)
   | where fe in~ ('.aspx', '.asp', '.php', '.jsp', '.jspx', '.war', '.ashx', '.asmx', '.ascx', '.asx', '.cshtml', '.cfm', '.cfc', '.cfml', '.wss', '.do', '.action', '.pl', '.plx', '.pm', '.xs', '.t', '.pod', '.php-s', '.pht', '.phar', '.phps', '.php7', '.php5', '.php4', '.php3', '.phtml', '.py', '.rb', '.rhtml', '.cgi', '.dll', '.ayws', '.cgi', '.erb', '.rjs', '.hta', '.htc', '.cs', '.kt', '.lua', '.vbhtml')
-  | summarize count() by UrlOriginal, SrcIpAddr
+  | summarize count() by uri, id_orig_h
   | where count_ < threshold
-  | extend IPCustomEntity = SrcIpAddr
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,8 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_smtp
+      - corelight_smtp
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -17,21 +18,19 @@ tactics:
 relevantTechniques:
   - T1566 
 query: |
-  Corelight
-  | where EventType =~ 'smtp'
-  | where Subject hasprefix  @'\=?utf-16'
-  | summarize recipients = dcount(To)
+  corelight_smtp
+  | where subject hasprefix  @'\=?utf-16'
+  | summarize recipients = dcount(_to)
   | extend k = 1
-  | join (Corelight
-          | where Subject hasprefix  @'\=?utf-16'
-          | summarize by To
+  | join (corelight_smtp
+          | where subject hasprefix  @'\=?utf-16'
+          | summarize by _to
           | extend k = 1) on k
   | where recipients > 1
-  | extend MailCustomEntity = To
 entityMappings:
   - entityType: MailMessage
     fieldMappings:
       - identifier: Recipient
-        columnName: MailCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: _to
+version: 2.1.0
+kind: Scheduled
@@ -7,7 +7,8 @@ status: Available
 requiredDataConnectors:
   - connectorId: Corelight
     dataTypes:
-      - Corelight
+      - Corelight_v2_http
+      - corelight_http
 queryFrequency: 1h
 queryPeriod: 1h
 triggerOperator: gt
@@ -17,16 +18,14 @@ tactics:
 relevantTechniques:
   - T1566
 query: |
-  Corelight
-  | where EventType =~ 'http'
-  | where HttpRequestMethod =~ 'GET'
-  | where isempty(HttpReferrerOriginal)
-  | where HttpRequestHeaderHost has 'xn--'
-  | extend IPCustomEntity = SrcIpAddr
+  corelight_http
+  | where method =~ 'GET'
+  | where isempty(referrer)
+  | where host has 'xn--'
 entityMappings:
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+        columnName: id_orig_h
+version: 2.1.0
+kind: Scheduled