From 40630ead9b3dd458e2cbfa95f5eeeb13e8f6cf61 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Thu, 21 Dec 2023 16:07:01 +0530 Subject: [PATCH 1/6] Initial Commit --- .../BackupDeletionDetected.yaml | 94 + .../PrintProcessersModified.yaml | 106 + .../StartupRegistryModified.yaml | 122 + .../SuspiciousProcessCreation.yaml | 95 + .../WindowsAllowFirewallRuleAdded.yaml | 110 + .../Analytic Rules/WindowsUpdateDisabled.yaml | 109 + .../Solution_MalwareProtectionEssentials.json | 35 + .../ExecutableInUncommonLocation.yaml | 101 + .../FileCretaedInStartupFolder.yaml | 98 + .../FilesWithRansomwareExtensions.yaml | 92 + .../NewMaliciousScheduledTask.yaml | 94 + .../NewScheduledTaskCreation.yaml | 91 + .../SystemFilesModifiedByUser.yaml | 108 + .../Package/3.0.0.zip | Bin 0 -> 21601 bytes .../Package/createUiDefinition.json | 359 +++ .../Package/mainTemplate.json | 2082 +++++++++++++++++ .../ReleaseNotes.md | 3 + .../SolutionMetadata.json | 20 + .../Watchlists/RansomwareFileExtensions.csv | 202 ++ .../Watchlists/RansomwareFileExtensions.json | 32 + .../MalwareProtectionEssentialsWorkbook.json | 540 +++++ 21 files changed, 4493 insertions(+) create mode 100644 Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml create mode 100644 Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml create mode 100644 Solutions/Malware Protection Essentials/Analytic Rules/StartupRegistryModified.yaml create mode 100644 Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml create mode 100644 Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml create mode 100644 Solutions/Malware Protection Essentials/Analytic Rules/WindowsUpdateDisabled.yaml create mode 100644 Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json create mode 100644 Solutions/Malware Protection Essentials/Hunting Queries/ExecutableInUncommonLocation.yaml create mode 100644 Solutions/Malware Protection Essentials/Hunting Queries/FileCretaedInStartupFolder.yaml create mode 100644 Solutions/Malware Protection Essentials/Hunting Queries/FilesWithRansomwareExtensions.yaml create mode 100644 Solutions/Malware Protection Essentials/Hunting Queries/NewMaliciousScheduledTask.yaml create mode 100644 Solutions/Malware Protection Essentials/Hunting Queries/NewScheduledTaskCreation.yaml create mode 100644 Solutions/Malware Protection Essentials/Hunting Queries/SystemFilesModifiedByUser.yaml create mode 100644 Solutions/Malware Protection Essentials/Package/3.0.0.zip create mode 100644 Solutions/Malware Protection Essentials/Package/createUiDefinition.json create mode 100644 Solutions/Malware Protection Essentials/Package/mainTemplate.json create mode 100644 Solutions/Malware Protection Essentials/ReleaseNotes.md create mode 100644 Solutions/Malware Protection Essentials/SolutionMetadata.json create mode 100644 Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.csv create mode 100644 Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.json create mode 100644 Solutions/Malware Protection Essentials/Workbooks/MalwareProtectionEssentialsWorkbook.json diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml new file mode 100644 index 00000000000..3c1ffe88f16 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml @@ -0,0 +1,94 @@ +id: 259de2c1-c546-4c6d-a17c-df639722f4d7 +name: Detect Malicious Usage of Recovery Tools to Delete Backup Files +description: | + This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files. + https://attack.mitre.org/techniques/T1490/ +severity: High +status: Available +tags: + - Schema: _ASim_ProcessEvent + SchemaVersion: 0.1.4 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +relevantTechniques: + - T1490 +query: | + _ASim_ProcessEvent + | where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe') + | where CommandLine has_all ('delete', 'shadow') + | union isfuzzy=True + (_ASim_ProcessEvent + | where TargetProcessFilename =~ 'bcedit.exe' + | where CommandLine has_all ('/set', 'recoveryenabled no') + ) + | project + TimeGenerated, + DvcHostname, + DvcIpAddr, + DvcDomain, + TargetUsername, + TargetUsernameType, + TargetProcessName, + TargetProcessId, + CommandLine + | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername) + | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername) + | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username) + | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '') +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DvcIpAddr + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: TargetProcessId + - identifier: CommandLine + columnName: CommandLine +eventGroupingSettings: + aggregationKind: AlertPerResult +alertDetailsOverride: + alertDisplayNameFormat: "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" + alertDescriptionFormat: "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files." +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml new file mode 100644 index 00000000000..ee02d7f13fc --- /dev/null +++ b/Solutions/Malware Protection Essentials/Analytic Rules/PrintProcessersModified.yaml @@ -0,0 +1,106 @@ +id: 7edde3d4-9859-4a00-b93c-b19ddda55320 +name: Detect Print Processors Registry Driver Key Creation/Modification +description: | + This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary. +severity: Medium +status: Available +tags: + - Schema: _ASim_RegistryEvent + SchemaVersion: 0.1.2 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Persistence + - PrivilegeEscalation +relevantTechniques: + - T1547 +query: | + // Print Processor Registry Key RegEx + let printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\SYSTEM\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\Control\\Print\\Environments\\Windows\s[A-Za-z0-9]+\\Print Processors\\[A-Za-z0-9]+\\Driver'; + _ASim_RegistryEvent + | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') + | where RegistryKey matches regex printProcessorRegistryRegEx + | project + TimeGenerated, + DvcHostname, + ActorUsername, + ActorUsernameType, + ActingProcessId, + ActingProcessName, + ActingProcessCommandLine, + RegistryKey, + RegistryValue, + RegistryValueType, + RegistryValueData + | extend HostName = tostring(split(DvcHostname, '.')[0]) + | extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.')) + | extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername) + | extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername) + | extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username) + | extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '') + | extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: ActingProcessCommandLine + - entityType: RegistryKey + fieldMappings: + - identifier: Hive + columnName: RegHive + - identifier: Key + columnName: RegKey + - entityType: RegistryValue + fieldMappings: + - identifier: Name + columnName: RegistryValue + - identifier: Value + columnName: RegistryValueData + - identifier: ValueType + columnName: RegistryValueType +eventGroupingSettings: + aggregationKind: SingleAlert +alertDetailsOverride: + alertDisplayNameFormat: "Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})" + alertDescriptionFormat: "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}." +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/StartupRegistryModified.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/StartupRegistryModified.yaml new file mode 100644 index 00000000000..741703467ad --- /dev/null +++ b/Solutions/Malware Protection Essentials/Analytic Rules/StartupRegistryModified.yaml @@ -0,0 +1,122 @@ +id: dd041e4e-1ee2-41ec-ba4e-82a71d628260 +name: Detect Registry Run Key Creation/Modification +description: | + This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary. +severity: Medium +status: Available +tags: + - Schema: _ASim_RegistryEvent + SchemaVersion: 0.1.2 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Persistence + - PrivilegeEscalation + - DefenseEvasion +relevantTechniques: + - T1547 + - T1112 +query: | + // List of startup registry keys to monitor + let startupRegistryList = dynamic([ + 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run', + 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce', + 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run', + 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce', + 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx', + 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce', + 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce', + 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices', + 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices', + 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run', + 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run', + 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit', + 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell', + 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows' + ]); + _ASim_RegistryEvent + | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList) + | project + TimeGenerated, + DvcHostname, + ActorUsername, + ActorUsernameType, + ActingProcessId, + ActingProcessName, + ActingProcessCommandLine, + RegistryKey, + RegistryValue, + RegistryValueType, + RegistryValueData + | extend HostName = tostring(split(DvcHostname, '.')[0]) + | extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.')) + | extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername) + | extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername) + | extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username) + | extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '') + | extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: ActingProcessCommandLine + - entityType: RegistryKey + fieldMappings: + - identifier: Hive + columnName: RegHive + - identifier: Key + columnName: RegKey + - entityType: RegistryValue + fieldMappings: + - identifier: Name + columnName: RegistryValue + - identifier: Value + columnName: RegistryValueData + - identifier: ValueType + columnName: RegistryValueType +eventGroupingSettings: + aggregationKind: SingleAlert +alertDetailsOverride: + alertDisplayNameFormat: "Registry Run Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})" + alertDescriptionFormat: "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry run key {{RegistryKey}}." +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml new file mode 100644 index 00000000000..6ca9b802d68 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Analytic Rules/SuspiciousProcessCreation.yaml @@ -0,0 +1,95 @@ +id: fdbcc0eb-44fb-467e-a51d-a91df0780a81 +name: Process Creation with Suspicious CommandLine Arguments +description: | + This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed. +severity: Medium +status: Available +tags: + - Schema: _ASim_ProcessEvent + SchemaVersion: 0.1.4 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Execution + - DefenseEvasion +relevantTechniques: + - T1059 + - T1027 +query: | + _ASim_ProcessEvent + | where EventType == 'ProcessCreated' + | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, " "), 1, -1)) + | where strlen(CommandLineArgs) > 0 + | mv-apply CommandLineArgs on + ( + where CommandLineArgs contains "base64" + ) + | project + TimeGenerated, + DvcHostname, + DvcIpAddr, + DvcDomain, + TargetUsername, + TargetUsernameType, + TargetProcessName, + TargetProcessId, + CommandLine + | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername) + | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername) + | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username) + | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '') +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DvcIpAddr + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: TargetProcessId + - identifier: CommandLine + columnName: CommandLine +eventGroupingSettings: + aggregationKind: AlertPerResult +alertDetailsOverride: + alertDisplayNameFormat: "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" + alertDescriptionFormat: "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created." +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml new file mode 100644 index 00000000000..7a4d6363b28 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Analytic Rules/WindowsAllowFirewallRuleAdded.yaml @@ -0,0 +1,110 @@ +id: 056593d4-ca3b-47a7-be9d-d1d0884a1d36 +name: Detect Windows Allow Firewall Rule Addition/Modification +description: | + This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host. +severity: Medium +status: Available +tags: + - Schema: _ASim_RegistryEvent + SchemaVersion: 0.1.2 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion +relevantTechniques: + - T1562 +query: | + // List of Windows Firewall registry keys to monitor + let firewallRegistryList = dynamic([ + 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Static\\System', + 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\RestrictedServices\\Configurable\\System', + 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Defaults\\FirewallPolicy\\FirewallRules', + 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall' + ]); + _ASim_RegistryEvent + | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') + | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE') + | project + TimeGenerated, + DvcHostname, + ActorUsername, + ActorUsernameType, + ActingProcessId, + ActingProcessName, + ActingProcessCommandLine, + RegistryKey, + RegistryValue, + RegistryValueType, + RegistryValueData + | extend HostName = tostring(split(DvcHostname, '.')[0]) + | extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.')) + | extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername) + | extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername) + | extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username) + | extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '') + | extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: ActingProcessCommandLine + - entityType: RegistryKey + fieldMappings: + - identifier: Hive + columnName: RegHive + - identifier: Key + columnName: RegKey + - entityType: RegistryValue + fieldMappings: + - identifier: Name + columnName: RegistryValue + - identifier: Value + columnName: RegistryValueData + - identifier: ValueType + columnName: RegistryValueType +eventGroupingSettings: + aggregationKind: singleAlert +alertDetailsOverride: + alertDisplayNameFormat: "Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}" + alertDescriptionFormat: "An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}}." +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/WindowsUpdateDisabled.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/WindowsUpdateDisabled.yaml new file mode 100644 index 00000000000..b47dcf07b56 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Analytic Rules/WindowsUpdateDisabled.yaml @@ -0,0 +1,109 @@ +id: f1443a87-78d5-40c3-b051-f468f0f2def0 +name: Detect Windows Update Disabled from Registry +description: | + This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host. +severity: Medium +status: Available +tags: + - Schema: _ASim_RegistryEvent + SchemaVersion: 0.1.2 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +queryFrequency: 1h +queryPeriod: 1h +triggerOperator: gt +triggerThreshold: 0 +tactics: + - DefenseEvasion +relevantTechniques: + - T1562 +query: | + // List of Windows Firewall registry keys to monitor + let windowsUpdateRegistryList = dynamic([ + 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate', + 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU' + ]); + _ASim_RegistryEvent + | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') + | where RegistryKey has_any (windowsUpdateRegistryList) + | where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1' + | project + TimeGenerated, + DvcHostname, + ActorUsername, + ActorUsernameType, + ActingProcessId, + ActingProcessName, + ActingProcessCommandLine, + RegistryKey, + RegistryValue, + RegistryValueType, + RegistryValueData + | extend HostName = tostring(split(DvcHostname, '.')[0]) + | extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.')) + | extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[1]), ActorUsername) + | extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\')[0]), ActorUsername) + | extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username) + | extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '') + | extend RegHive = tostring(split(RegistryKey, '\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\'), 1, -1), '\\')) +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: ActingProcessCommandLine + - entityType: RegistryKey + fieldMappings: + - identifier: Hive + columnName: RegHive + - identifier: Key + columnName: RegKey + - entityType: RegistryValue + fieldMappings: + - identifier: Name + columnName: RegistryValue + - identifier: Value + columnName: RegistryValueData + - identifier: ValueType + columnName: RegistryValueType +eventGroupingSettings: + aggregationKind: singleAlert +alertDetailsOverride: + alertDisplayNameFormat: "Windows Update Disabled from Registry on {{HostName}}" + alertDescriptionFormat: "Windows Update Disabled from Registry {{RegKey}} on {{HostName}} by {{Username}}" +version: 1.0.0 +kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json new file mode 100644 index 00000000000..0aa4856d888 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Data/Solution_MalwareProtectionEssentials.json @@ -0,0 +1,35 @@ +{ + "Name": "Malware Protection Essentials", + "Author": "Microsoft - support@microsoft.com", + "Logo": "", + "Description": "[Malware Protection Essentials](https://aka.ms/AboutASIM) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.", + "Analytic Rules": [ + "Analytic Rules/StartupRegistryModified.yaml", + "Analytic Rules/PrintProcessersModified.yaml", + "Analytic Rules/SuspiciousProcessCreation.yaml", + "Analytic Rules/BackupDeletionDetected.yaml", + "Analytic Rules/WindowsUpdateDisabled.yaml", + "Analytic Rules/WindowsAllowFirewallRuleAdded.yaml" + ], + "Hunting Queries": [ + "Hunting Queries/NewMaliciousScheduledTask.yaml", + "Hunting Queries/FileCretaedInStartupFolder.yaml", + "Hunting Queries/FilesWithRansomwareExtensions.yaml", + "Hunting Queries/NewScheduledTaskCreation.yaml", + "Hunting Queries/SystemFilesModifiedByUser.yaml", + "Hunting Queries/ExecutableInUncommonLocation.yaml" + ], + "Watchlists": [ + "Watchlists/RansomwareFileExtensions.json" + ], + "WatchlistDescription": "This watchlist contains a list of file extensions that are commonly used by ransomware. Add additional file extensions to this watchlist as required.", + "Workbooks": [ + "Workbooks/MalwareProtectionEssentialsWorkbook.json" + ], + "WorkbooksDescription": "This workbook provides details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.", + "BasePath": "C:\\Users\\rahkuma\\Downloads\\Github\\Azure-Sentinel\\Solutions\\Malware Protection Essentials\\", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false + } \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Hunting Queries/ExecutableInUncommonLocation.yaml b/Solutions/Malware Protection Essentials/Hunting Queries/ExecutableInUncommonLocation.yaml new file mode 100644 index 00000000000..1bb269ce34b --- /dev/null +++ b/Solutions/Malware Protection Essentials/Hunting Queries/ExecutableInUncommonLocation.yaml @@ -0,0 +1,101 @@ +id: ab8ddb26-050c-40aa-aaf0-bfb7e3eeb05f +name: Executable Files Created in Uncommon Locations +description: | + This analytic rule detects any executable file creation in uncommon locations like temproray folders. This could be an indication of a persistence or defese evasion attempt by an adversary. +tags: + - Schema: _ASim_FileEvent + SchemaVersion: 0.2.1 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +tactics: + - Persistence + - PrivilegeEscalation + - DefenseEvasion +relevantTechniques: + - T1037 + - T1547 + - T1564 +query: | + // List of file extensions to monitor + let executableExtensions = dynamic(['exe', 'bat', 'cmd', 'vbs', 'ps1', 'psm1', 'wsf']); + // List of file locations to monitor + let fileLocations = dynamic([ + '\\Windows\\System32\\', + '\\Windows\\Temp\\', + '\\AppData\\Local\\Temp\\', + '\\Recycle Bin\\' + ]); + _ASim_FileEvent + | where EventType == 'FileCreated' + | extend FileExtension = tostring(split(FileName, '.')[1]) + | where FileExtension in~ (executableExtensions) and FilePath has_any (fileLocations) + | project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType + | extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User) + | extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '') + | extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username) + | extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '') + | extend Host_0_HostName = DvcHostname + | extend Host_0_DnsDomain = DvcDomain + | extend Host_0_NTDomain = NTDomain + | extend Account_0_Name = Username + | extend Account_0_UPNSuffix = UPNSuffix + | extend Account_0_NTDomain = NTDomain + | extend File_0_Name = FileName + | extend File_0_Directory = FilePath + | extend FileHash_0_Algorithm = HashType + | extend FileHash_0_Value = Hash + | extend Process_0_ProcessId = ActingProcessId + | extend Process_0_CommandLine = CommandLine +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileName + - identifier: Directory + columnName: FilePath + - entityType: FileHash + fieldMappings: + - identifier: Algorithm + columnName: HashType + - identifier: Value + columnName: Hash + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: CommandLine +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Hunting Queries/FileCretaedInStartupFolder.yaml b/Solutions/Malware Protection Essentials/Hunting Queries/FileCretaedInStartupFolder.yaml new file mode 100644 index 00000000000..9b13a7e3e3d --- /dev/null +++ b/Solutions/Malware Protection Essentials/Hunting Queries/FileCretaedInStartupFolder.yaml @@ -0,0 +1,98 @@ +id: 64e199a8-b26c-462f-a65c-09ed9b53a47b +name: Detect File Creation in Startup Folder +description: | + This hunting query detects when a file is created in the Startup folder. This is a common technique used by adversaries to maintain persistence on a system. +tags: + - Schema: _ASim_FileEvent + SchemaVersion: 0.2.1 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +tactics: + - Persistence + - PrivilegeEscalation + - DefenseEvasion +relevantTechniques: + - T1547 + - T1112 +query: | + // List of startup folders to monitor for Windows and Linux + let startupFolderList = dynamic([ + '\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\', + '\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\', + '/etc/init.d/', + '/etc/rc.d/', + '/etc/cron.d/' + ]); + _ASim_FileEvent + | where EventType == 'FileCreated' + | where FilePath has_any (startupFolderList) + | project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType + | extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User) + | extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '') + | extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username) + | extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '') + | extend Host_0_HostName = DvcHostname + | extend Host_0_DnsDomain = DvcDomain + | extend Host_0_NTDomain = NTDomain + | extend Account_0_Name = Username + | extend Account_0_UPNSuffix = UPNSuffix + | extend Account_0_NTDomain = NTDomain + | extend File_0_Name = FileName + | extend File_0_Directory = FilePath + | extend FileHash_0_Algorithm = HashType + | extend FileHash_0_Value = Hash + | extend Process_0_ProcessId = ActingProcessId + | extend Process_0_CommandLine = CommandLine +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileName + - identifier: Directory + columnName: FilePath + - entityType: FileHash + fieldMappings: + - identifier: Algorithm + columnName: HashType + - identifier: Value + columnName: Hash + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: CommandLine +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Hunting Queries/FilesWithRansomwareExtensions.yaml b/Solutions/Malware Protection Essentials/Hunting Queries/FilesWithRansomwareExtensions.yaml new file mode 100644 index 00000000000..4802736d11f --- /dev/null +++ b/Solutions/Malware Protection Essentials/Hunting Queries/FilesWithRansomwareExtensions.yaml @@ -0,0 +1,92 @@ +id: 595aea5c-74c7-415b-8b12-10af1a338cdf +name: Detect Files with Ramsomware Extensions +description: | + This hunting query identifies cretion of files with ransomware extensions. Ransomware file extensions are defined in a watchlist named RansomwareFileExtensions. +tags: + - Schema: _ASim_FileEvent + SchemaVersion: 0.2.1 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +tactics: + - Execution + - Impact +relevantTechniques: + - T1204 + - T1486 +query: | + // Get list of ransomware file extensions from watchlist RansomwareFileExtension + let RansomwareFileExtensions = _GetWatchlist('RansomwareFileExtensions') | where Enabled == 'Yes' | project FileExtension; + _ASim_FileEvent + | where EventType !in ('FileDeleted' , 'DeleteFile') + | extend FileExtension = tostring(split(FileName, '.')[1]) + | where FileExtension in~ (RansomwareFileExtensions) + | project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType + | extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User) + | extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '') + | extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username) + | extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '') + | extend Host_0_HostName = DvcHostname + | extend Host_0_DnsDomain = DvcDomain + | extend Host_0_NTDomain = NTDomain + | extend Account_0_Name = Username + | extend Account_0_UPNSuffix = UPNSuffix + | extend Account_0_NTDomain = NTDomain + | extend File_0_Name = FileName + | extend File_0_Directory = FilePath + | extend FileHash_0_Algorithm = HashType + | extend FileHash_0_Value = Hash + | extend Process_0_ProcessId = ActingProcessId + | extend Process_0_CommandLine = CommandLine +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileName + - identifier: Directory + columnName: FilePath + - entityType: FileHash + fieldMappings: + - identifier: Algorithm + columnName: HashType + - identifier: Value + columnName: Hash + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: CommandLine +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Hunting Queries/NewMaliciousScheduledTask.yaml b/Solutions/Malware Protection Essentials/Hunting Queries/NewMaliciousScheduledTask.yaml new file mode 100644 index 00000000000..7c6234996db --- /dev/null +++ b/Solutions/Malware Protection Essentials/Hunting Queries/NewMaliciousScheduledTask.yaml @@ -0,0 +1,94 @@ +id: b43394b9-fa91-4d98-b331-619926a933bb +name: Detect New Scheduled Task Creation that Run Executables From Non-Standard Location +description: | + This hunting query identifies new scheduled task created, to run executables from uncommon location like temp folders. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system. +tags: + - Schema: _ASim_ProcessEvent + SchemaVersion: 0.1.4 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +tactics: + - Execution + - PrivilegeEscalation + - Persistence +relevantTechniques: + - T1053 +query: | + // List of file locations to monitor + let fileLocations = dynamic([ + '\\Windows\\Temp\\', + '\\AppData\\Local\\Temp\\', + '\\Recycle Bin\\' + ]); + _ASim_ProcessEvent + | where EventType == 'ProcessCreated' + | where TargetProcessName has 'schtasks.exe' and TargetProcessCommandLine has_any (fileLocations) + | project + TimeGenerated, + DvcHostname, + DvcIpAddr, + DvcDomain, + TargetUsername, + TargetUsernameType, + TargetProcessName, + TargetProcessId, + CommandLine + | extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[1]), TargetUsername) + | extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\')[0]), TargetUsername) + | extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username) + | extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '') + | extend Host_0_HostName = DvcHostname + | extend Host_0_DnsDomain = DvcDomain + | extend Host_0_NTDomain = NTDomain + | extend IP_0_Address = DvcIpAddr + | extend Account_0_Name = Username + | extend Account_0_UPNSuffix = UPNSuffix + | extend Account_0_NTDomain = NTDomain + | extend Process_0_ProcessId = TargetProcessId + | extend Process_0_CommandLine = CommandLine + +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: IP + fieldMappings: + - identifier: Address + columnName: DvcIpAddr + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: TargetProcessId + - identifier: CommandLine + columnName: CommandLine +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Hunting Queries/NewScheduledTaskCreation.yaml b/Solutions/Malware Protection Essentials/Hunting Queries/NewScheduledTaskCreation.yaml new file mode 100644 index 00000000000..f9b0828c249 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Hunting Queries/NewScheduledTaskCreation.yaml @@ -0,0 +1,91 @@ +id: 4dc0aae4-6375-4670-b138-8c42490ba206 +name: Detect New Scheduled Task Entry Creations +description: | + This hunting query identifies new scheduled task entry creations. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system. +tags: + - Schema: _ASim_FileEvent + SchemaVersion: 0.2.1 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +tactics: + - Execution + - PrivilegeEscalation + - Persistence +relevantTechniques: + - T1053 +query: | + _ASim_FileEvent + | where EventType in ('FileCreated' , 'FileModified') + | where FilePath has '\\Windows\\System32\\Tasks' + | project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType + | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated) by DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType + | extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User) + | extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '') + | extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username) + | extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '') + | extend Host_0_HostName = DvcHostname + | extend Host_0_DnsDomain = DvcDomain + | extend Host_0_NTDomain = NTDomain + | extend Account_0_Name = Username + | extend Account_0_UPNSuffix = UPNSuffix + | extend Account_0_NTDomain = NTDomain + | extend File_0_Name = FileName + | extend File_0_Directory = FilePath + | extend FileHash_0_Algorithm = HashType + | extend FileHash_0_Value = Hash + | extend Process_0_ProcessId = ActingProcessId + | extend Process_0_CommandLine = CommandLine + +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileName + - identifier: Directory + columnName: FilePath + - entityType: FileHash + fieldMappings: + - identifier: Algorithm + columnName: HashType + - identifier: Value + columnName: Hash + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: CommandLine +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Hunting Queries/SystemFilesModifiedByUser.yaml b/Solutions/Malware Protection Essentials/Hunting Queries/SystemFilesModifiedByUser.yaml new file mode 100644 index 00000000000..f3494176e36 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Hunting Queries/SystemFilesModifiedByUser.yaml @@ -0,0 +1,108 @@ +id: 54b222c4-0149-421e-9d6d-da66da50495a +name: Detect Modification to System Files or Directories by User Accounts +description: | + This hunting query searches for modifications to system files or directories by a non system account (User Account). +tags: + - Schema: _ASim_FileEvent + SchemaVersion: 0.2.1 +requiredDataConnectors: + - connectorId: CrowdStrikeFalconEndpointProtection + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftThreatProtection + dataTypes: + - SecurityAlert + - connectorId: SentinelOne + dataTypes: + - SentinelOne_CL + - connectorId: VMwareCarbonBlack + dataTypes: + - CarbonBlackNotifications_CL + - connectorId: CiscoSecureEndpoint + dataTypes: + - CiscoSecureEndpoint_CL + - connectorId: TrendMicroApexOne + dataTypes: + - TMApexOneEvent +tactics: + - DefenseEvasion + - Persistence + - PrivilegeEscalation +relevantTechniques: + - T1036 + - T1543 +query: | + // List of system file and directories to monitor + let systemFilesAndDirs = dynamic([ + "\\Windows\\System32", + "//etc", + "//bin", + "//root", + "//lib", + "//usr", + "//dev" + ]); + let systemUserTypes = dynamic([ + 'System', + 'Service', + 'Machine', + 'Other' + ]); + _ASim_FileEvent + | where EventType in ('FileCreated' , 'FileModified') + | where FilePath has_any (systemFilesAndDirs) and ActorUserType !in (systemUserTypes) + | where isnotempty(ActorUserType) + | project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType + | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated) by DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType + | extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User) + | extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '') + | extend Username = iff(User contains '\\', tostring(split(User, '\\')[1]), Username) + | extend NTDomain = iff(User contains '\\', tostring(split(User, '\\')[0]), '') + | extend Host_0_HostName = DvcHostname + | extend Host_0_DnsDomain = DvcDomain + | extend Host_0_NTDomain = NTDomain + | extend Account_0_Name = Username + | extend Account_0_UPNSuffix = UPNSuffix + | extend Account_0_NTDomain = NTDomain + | extend File_0_Name = FileName + | extend File_0_Directory = FilePath + | extend FileHash_0_Algorithm = HashType + | extend FileHash_0_Value = Hash + | extend Process_0_ProcessId = ActingProcessId + | extend Process_0_CommandLine = CommandLine +entityMappings: + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: DvcHostname + - identifier: DnsDomain + columnName: DvcDomain + - identifier: NTDomain + columnName: NTDomain + - entityType: Account + fieldMappings: + - identifier: Name + columnName: Username + - identifier: UPNSuffix + columnName: UPNSuffix + - identifier: NTDomain + columnName: NTDomain + - entityType: File + fieldMappings: + - identifier: Name + columnName: FileName + - identifier: Directory + columnName: FilePath + - entityType: FileHash + fieldMappings: + - identifier: Algorithm + columnName: HashType + - identifier: Value + columnName: Hash + - entityType: Process + fieldMappings: + - identifier: ProcessId + columnName: ActingProcessId + - identifier: CommandLine + columnName: CommandLine +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Package/3.0.0.zip b/Solutions/Malware Protection Essentials/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..4f2c1bf6766f9531cccdff9ea38f3a78a130c829 GIT binary patch literal 21601 zcmY&;V{|6KvTbbJnb@{%+jjEBb|$v%Ol(hV+qP}{&N=tKAMamx)mpuF?W)z-)rvBp zU}!)`w-^w!Syc2~OI z&ZuKGKR>ElH?v31Yoy6Lj{1vxfDF>QHMw6haBUW-)JwTm8;#gAlkziz>3knsHwx#T z>j<2?b%ILh;R}dT)v1e#+E)TUCxpVP-x@k3Y^f;{f0!fx2ntxU%F6iC@^Pt}9ErKU z(IcpB-H%A+*|ATm;FBAN;vR-N?MJ{UO9NbS%3M~Drc@q zcm!yK1YZo+3mbd{m2I1?fV0x`{KFPKy~ zljF|ZG{+fVqrOyC%Ft|rZth%I-Gt69lx+B&#zFvtuN}w0avkiXOvpV)c|D>X(u;*0 z7S7R$^5B037ZY2$36Ty?j63o@yHavPeN}mpwPz+Ki^qcl+&8U$i{T%e%z`Jjw)4~d zNZ%EPnD>$3^>|y*dLE-%HmE5tW)Kl&Gn41hKgX^9KIJ9-r*ruFEL8s1awo=0C{rS< z50_Zch_qg3TT!$-Ts#)TVyw3UN|&q|r2waF)}@jO3BhOAjTc{PWoYmn9ogNHcq>A5 z#0rX-4&)aC8wupVN!j`H7w35{ehwhOj%X<4Do!X&vV4-l!)bG~#)eB#(5?DH2%-l8 zspiIjWy3#O+N98XX|1vYi5^coL+W_R1oQTHu zQ&3FJ$W%2X&&L$TcSkBmEWy)JGXWPO_Y`w`&R4hf#PqhCbIX>!J1rH@mtJL?%>>uB$K6;5 z$@_=Y4A(k;yIsuTTk!XH&&r3y28I4Z-!U+d9eY;r^5(WSBiIn$45>XN62mmR+|aKQbEl2G~1_n%qWN%=q2TMNcvn0vr7w%+nZ3S?#iBT ziP)k@3MoS86{DrxQ6lvq#rvkAYnZ9dAxt5SVXTAEFGdMr`-u(DdnM#VhjK4;R^SfA z+nH*=hURw8_55#1U!h+V@5iA|}emLWlE$HaP zo5aHLY~SL$uE#wLkwwdo!rn82ucCud(Z_8lb}|NVCv~@`8JC$3G>xGa{)#jSCFyY& zrLBdy(8}uD*t9gZv}|l|TirBYXeq##T31K^`1*3$Cg4EQ$1@sr{JNwn>y4MZ4YN4a z#;$~bw*2NB>@0?4cJ?t9Ks@v{oEcei{`V~rR3p>Y_4B1UD&kV zmVfNN7enIbpDFQ*Mg?Lfip6K}>tJqR1BI||wYb|j62}G^ zyU*jvy;6A81N=Cd%E9d}t}}2=B8ivwQ+*1|xjL@ry5;q7>R{^u?@9;27oF^QDW^hU zXO2Ghgbtuc&+(yHAUnjS{W=dVm4pl}wc|G^KCMx9X=$cNKcnSLOJMWDAPL;hIscd# zoe3s~w?c_dX1m|TM!+w=@cdZn1?s@D(ZlKrAgXzUV{@VXETM~lLg_{iq;7E0gWVov zrs(HkX>4w8TnWavvu}2PIhQ&}Nebvlgo_RLI+6U8#&#YEBYE?xmE78-3XyAze1eHW zgMzh%S+ex0J?s>}$N56Z)fd#h&~lI(>r<l*7DuwDak8#L`klZ+a)op*ZDPvs_t6}UH%5c%_j(sFK_RI-v z$3DTCZi-0!aNsf9=~0Sc3By{c4~7F_PZ(~D9WlWs1}ZHN{mp>>7hDVc5%qdej~~QS zJ6f=Y2fS+x>mV|yaI!cIaR$XBvM*@NE)+G8`HF;mQg0u+l?9bQz>Pu}a?|MwZtPuW zJ}O`idx13wqN*1p{=1Gj>g>^A>ai;4DRv(W^f&0037NzrdxIvdrY$}BVxo_md655gUm^rKt}g#5vFWxQANpMzTB z38dk%kV|2CnMA;ho8tRqeZgyT>ibx|l)3URHPJR>C>y9Xf?z0IuHnZpMndspB#6=~ zN+k`_2xYr)!;czi6|+y%OT1eWb0_bMc?Y6C(yKS&gH65$`k^s40-R++3^k;U}nPdY!qKwb>s2K{ zAMv^Hx$X)6*&`Y@yZ`=Z3dEzP^YT6}6 z2B8RfCut*^E(9Xt#D$b}(n>yT&E_7Mih6c9;Qp?5ipCUqczL`2jUr77-;#}+0@SVM zxea_DB!*9IeA6+n&PQPku_;V+7>zL2X5#w%m~H~9`_MACS?^Yf^UU}TZAN%f@(R#7 zCS4C8!7JA{v(t16F^nZ6HpfSX#Oq3M;`*Tqbs^a$HHRWh^Z^V;#q?7JZ?e6Mopank zEQz@TWiV{2-F_wqP;-qMfsHUYW0SlD>V6UU8e zbMO$Eg=2PH19oiBn**AL4(U`I<2LUQue_9wESVm@SbXwqC|@g!yE!KCuQCSOR)?5>D8O-4X*C&JS4} z+3eIfRb?14;Tx^d$2z@)Gu}`2u1BkJ3S1p(6Y5@OFffrrsFfT|R393amNbx^@~@L3 zt+Sld2E)0pVshZMU@W*4-BV*3A%^_R`OpO| zxvmdKM+!&lTK#N!5s%2^`XW+#YiOr8ZYcb!dzMJe4;tip*}tvAL>5p|a=n*u%5KLh zsCL4SC}S*+4Ggxa3Qrg>%?Vs2#0OR+zm5S_z~!J|n?UiZpgt-49c{vQa-{62as!o( znvk(auT0!PP!tR`H_4}=1FPZ36=rS^GRbSApH4zzDR9e{n!!!s>({+R^*++C3&p@( zl$`xU6GvVp`ZQUfn)K!`+Q}Hx?}*2 z@Eh-;wxfTQJaMF36|Z5+uq9Qpak5BhKCcEH=J*KocFEFoAN|`2p$+*GN5zf(1WmBr zkLkTMqAVw4y~m6 zDuD{}P#|MVL`K=&iOU)4oFca0A!6ULr_ET#I!vWltFp0QgeJz1sNyYMgFe|Z&0_)W zUnT1b?cVr2t?Za2!Pj|ft9Cnicy3gu(=fWP`drV#zP%Ac{ygXJ!W7dY ztL<2?YN1t``9y`=lWzbPeAzAxa+P~M1$Cp4?~#9N!NUc1+a%49tCg;Ywo4L{8}W_H z7@lLRRt-sIYlMSR<(q0`Z3E4@dQpM*`N6{IoTci}YGzZ-7fMja1Nj>lTB0uUrBGfz zBk*O(+`-lsGuOPVhNF4Se@tRRSsLWc8b6z@zI0KP*$22NIdWr;RH9X!hV)JXb^P{{ zc^F3o47RVWHI)zy$!Pidrb!n@a@Ib_i2?69=ebSZ>NxN40xxdzNI5unb#orQ(6|h~ zSVD5}$N6g{e|nFyDZ6A>avUDejydzOsZqQX^!ht1JE{-IXmDT)wUCBosrF@9+GSSC zw;8)ID`EJ(q@CJhgg9-{@|gU4<+Z=*0rvodZ*~%b%gzTd9ASyg1I`h5`h}BpdfF$| ztndv^kzuN32C{^v(-gg^3{;2HxK~ry8kdiKB{P*<*#q7z;KloNwL@vc@!gE*?*vYs zUrcUkX8Wft?mQ8d%(Dy{x8exgx(PHee3L)r*6y}wzOGZqg?$jQZ;h1`vP)TFl@c3K zQcr-|SR+9s)%UEsh=UfJ<7sq`e2tZqTDnQamPSS91cE+UeWOaD<@x0#eXO&otD1lBa6u2C-{ z>LV( zjL6y|(t`OzPlG&;cQ^{~9N3egGDw~@sxo!q*5@CpN-E_ugPSA#SQ{5Y(XG&t3{6U{ zEUGcu*NBARu(gxQ8lVrL9O;Z1F;hE>n4H-cviZ}KBV!v<*o?V9OF}kB1c&ZwChmhD zL)$_t&qlN;`-D!a$+adHY1__ZlFLYBu053w!b+E)r4!a78mBEM`zm1a1y56*Nb@ll zam@cFR+^qBJ%_0@fewu+Vd&80$-rn|K7XJX=G#P`^6}RaV$$%ZNCq}I3Q;5)==a?B z9+f_F`RPIs%>5<3gTF7!u0Rgyd`8v{Zc<>uy=j&DIHjVdifxA3Q)-AHd2j2=WnQN7 zo_XtMw{MY)`|gM~ctnx?R=BLaXXSnbG6c)5{WF@DJ?rJ=|5jhiRk;hj?O4k4%4HtO zPm-2vo|@}>zcA$jUu=;zByo`v^%(awAOHEAE=DVW&X-}5cgX+s&0q2V({*Il%42$k zfPfy{K!EdyZvI=&Zf8?6n;KaIWm&}*+sYgjzfi{FkGVFGKpNI}u3!8p_GZO(M^R_LnQ? zSK3|mh4bZh)A84V@+I7kr_Virh1U)76m&*Lc*t$v{M70Uh}4DEngjps4`|nLX}rT- zSpEQsLD%7ukRpopUS?b8Q%bfWw^Ee_C%=qvi&3PRV00EC41lbw-FXdY2vzJzJToiZ zQSd3p;GgkwGj5mOZNfG7qPcK8dqZ{uE(sN5Iz; zK+LLS^Ui|dQS5;Y@mtMek^S>&$UhylTZ9dA4cb8s64qC>jq7P2Y++v&?Gd}N^7sDN*kHf)=q`af%t(sWlik$Bq2 z!3jNQRDK}K?XM3h{=4w-Dd83wwZ4V$TCHv0K=r{O95fa#gQP>Mt#~wlkqG8E{wjm+ z6;h&8N@)u8(ef_0QL0t^UIeHQevB_KpIo+wRq&RYpUtOMjuVP`Mgm7S5Zw*qQSk+x zvPj^r&ZeP-N-!QyI|8s&N3NU859Ajrg|quKR{*6-3yU95yVy(s=RnZMkdlQ$omuQM zhRaK#l-lPT_$vj>U~MyW3E-!U+zk=mg-+|mx}j?|hJmFgvZdYXQ?}vG5$$MqsW?4U z84}-|acj8bmJ*iX6YB+;ylX^(v?&;GP2hy*u|Y$j?ey;4N)wZ@BB=s&S!h8bs92>; z_SHud@A*-R!pv7~)S_l+2JdrBe1h;f%Ta0#_2h1ZDu5adk26-4YNPT> zxLT#E9{c25*=91eLxwhJ8-kSTuki|=Tkk=W0U{07bkc zs~T!4F5K1TsjVE&5#B6%n^`oNFXncR_BG|L98uxk&R;`a848<)OY*<0j?mo2IaEJ_ zgmRv3uAY(nT-~i=TyU&oE;$yBeBEp1pK-AFx5vq@t6d!Jt93VZ+J?HCOZK;^iLa}l zFkjU99plvhVafT2MX#~3cK$eD3D;$POWS)ET+03u!TP*zV|~Y#J4ARjg&^l#ssJ{45tcgZfhGtVO5#%gw)s9n7X{S^ee3`b)i1>4N?F zB}=bi$NK3*2)FcvB+8pPh4z|x$Y*Ao}sIyq&K?_{M0G z{&$&_|1R^)6O0mnz4dH}>2saqXIr~txs2n=42V~^vCl_f3FbRakt&hKd|s{y=}OUA z)v=+ztS0W?*7i11xE~{xa{60G@oI`9W9nk-sz?$1*Jf*(o>sY|W7pBX>Dk&l$gQ!< z;3mmjuVH=RVGQlrt-Y>AgYNQbvwvG(#mF8L`T2Pr);m#xTq?0Kgs+bzNt3wnqUmGG z+&RGTUve4PaGU z1E{E{w8F4<zGzrqfR%D?*%J;@*xV^WX8X0Bf>w9oL1xlaKt&t~@kmVpjO|NG zzj%VEf5M64{Ec=L71jj`)Mo>~JN_KIqWdi#2zEfKA_qdjeldk1(Xmp3(Y1UUBYJKm zqT()SOrnQ_Y-IR0Oc;T3Wl}f*4O}Y=zvO2DR^6ZbBNSo|C%$I>J@!dH164`=@YgaJ zE3pq9dx#c93yaj_@g(1TR-`w*aBOsmRP?emm} z$a&y?BDJtYklFfI++R7u3mFgXgEoplR)kE4<}%qj%i6huniDI`LH(;aFM zYS^FP4o#x)8JtOCMtZ#33G19`BS>~#FL`ES(vrdM_C>0Z*_V98<&p#=RtC-bf?p=Y zP!#T(>0uDfrh|;GL5rq`9*M{K>QbVayE?E7Qq>01drQNu0)cTPfyx>LJmgC~!4}`U zt*+S(%KKjMNM#CML=A_LI*vyz3QTV+DH;RZ>E=+xDeWJcEIPC&T(#!b>8A-i6{?>D z&H74oppJZiDxO!+2|<9!OW^(*{*=i^C1P#(W3mDVEGVBOX_(kxuDL!Pdk-<*N4=`c z1eP)qd4L@kVPzR><;(1H4n^HZAoD4!Wbw;?-S8n!0pi%e^XdJxWg_Us!a~BHfqo~C zFvmAA&pFj;rjK6q^a1`=jV+9M>oKpW)`>~QMO5=%r_-%3ILlAxQx89OT9>n} z6BX<299z6U^Y^{{pZZ!%L)Bf~VTE%dbRKP2`2r@iAM8nLfO3JMN77J>ZOzfW|i(x*V~RK_~rNLH;D8=)4mR(3;ZV9+!V_iwv z$=`At$mZ|=&fc+WAX**)p4-jm9wu_-wno+c87^V z$9+03m`FQ)XoNqFYmhUyY@Z9)_Ia8?T<IEjIAO)4vVSKQWe7ot6>0LthFMmVt!NTH;y=BMxtt~yy#`NSAEpfo5K_hOOpuY zW@9@>ipqwLF$+1dSE^C*G*m5%lM|t}*-0na@kRcA%YNkS{7bLN;h#H1|7)T$p$t|h zLqOAZaPHn6LNDE4pmZXL15y1qB84RoK2oJU&Wx*r3mvtlki5OzhymILqE;#B6hXQy zK^Ycj)G~GMfr$Dk$fQCFeD-$oHa)!!CWSu#Br~0A%}DRv#4o#y2=I=GzSp zmOPE9%sKt41|Cj88g(`1WVuPe6JYEx0nnq7Q;Gee@<}AAra<3U5roKn3W=%2TK!RX zN4UG-Sg`X|i7ZC^n1+)IiQ^jMy)w9)y3r0EQ3z|Ax=U4p?J&}*b#)r+{@;Q5P$qtv zH!=-gpbizdHq^S^9|eNmVtAM|SMp;Ejs^%vwCW23`a&0L1Fh-wvo72B-o-gE6W7Lg zMuAH%Ifu|5DC+`;V>(t8_bAt6*fsyUhxiwV-cFo1D))x7u2>w`XEb#{NI=Ay#tX zBxkZm6KUxq9~T-!dAfe8>?CL-=PR{3btV%+`1LV>QAL~ugC6p0$&YMs+y!8ZIbSOs zWGEDHxBecV1l`5nGjeYS-mCJ8km$Zp&J)gC*ZzZ|;TZl%-f(t50z)yo@FYTQdP3Ph zOoZfnBrK_cDsXwY;;QNLfRTsI5<>xApG|oz;1-}!W4pn2N~cl83sicPc@jJ`0&_C> zDik1}{WBF4AF>k?M%n^(xuQ;eAelq6J|m&>^WKpK56#--dMh+&-1Jc);mQz^_aiko z;={|dw`iDpc_V5j05M{TW&kz=yNRD&GU!4e+CwMb8;F27N*^Ok*q&U$0^0#~aPWZ{ zAZ(&F%sRP8I+m?%$?%maeeZ&cn8H$7(8Uq#{G@2H-$zn5l0jwOY`iRc821E9G%LR8 zHGN_hm-y>~wz-~Fbw!+*mn-NFs2=|)Pb^dKm#+|AItuACE(GyJ=`&_8N2;KyOFN5{ zNF#b?6&P_8>h}&b5|{qM4OaLiNjz}Eq=r54Uyn#o@H=%*<=w8lN2J0L7O=)Jh3+{Q zy*ar*%xElKAqXyYut4#b1K!y2c@|a*a;WX9^<1a7dqUH);NeHKg4ls?bCv7Tzh@HW zgZk@LU!7bgh-RwleVB!Ypn%jKWN>P3TOOhcQ9mCgYM*(^x0Y-^@_t|yXthcZwxQmr zK)>%e;5Z||nHP&3tF=n{t}UVZ=xnK;ejbw~>9DEN=5E=mtDuCiOn(hP_1OfR=qQ<= zU3I3?5`~Zz)di!a#`mKrYYM~2NE(eJjPH9p{6DKiAR0X`UAjAAlPFlpXL5M&t3m`+ z^nV5@$eP3;Bqo1E!BYQkA|txn5(%aHHB~qy^t+sgs*hbh0`(KaA#h4!5Sksc7n=Nr z40Ggzl@Ns@U0X8(mDVxvH)}Fy-_r;*ds;NAE&`)5)1{%a(4`@*uh7)%V_nca86}yU zL&2|-8onin%(L}@Qm9?ZvlNHDlxL6_NCQ(_$ofOT7%IwrG< zx^>*!g)W#?B%swsar&UdBcOM=@ad5>1Kqs-%=rN{Wj4%lg(|I~-9uUk6O9A}LK?ol zt^Qg5Si1)p1@IOlQhF^rIcSk5t6WBXRC; zHn^gf(fS91e>WxP&0OV+==GX!&4fB?gYH3HNrN7B(?gkLumlG5Yv;$${7Lxtqo_su zfSfj>Tn4tG%8cJWdzbafm%WV{mmVn-B}IT>4$m=`yXr7 zVS{}|80!0m(s;7J;K>lozZ@B>&Grm2cDQxnKIgTOK2c;06!H1_Ze=>adT7rec1{@g zx6X)`sQCB7>u1!XzqTh)s;XySsfO^g#E`V8~9)~@&C`QVj#lep< z9*aDkvhBq&s-vn^_^O?4ylf1vN{9hYO{ftO?=)b9zro4vXImAUd7ka+$l~j$)1{te zlaf7%dW#nLurKZpiFQPnPn=whof@!&=DO8ZXOcBVUPw#NL1|PmcKhQl&>eWjx~8PK z{Ym+g%ps7MR=5Ve>_s^`*3gvhCw;4oWN=LJIyjn(mus93&mFDkL_-$ z=!OqNcngYcqo8}LWtOYh#v_`yIgd+!c9t~pAvuZ-d1&j}zK*L>GW@ID5*h=*adAqF z+ueDb3Yo(O&$Hw!JUr_eBs}YID}A5mj{jWXW5E?m-ScWkiQ*j z$2fpSWONp>?{9SF$+n=plStPrtyj=)yrznrtVj?(jvwk)OqCy)0Bx;BWVrkTB(dcD zby1K|-~_RoNp=J(pBcx{8wsV$SoTjsnnrmIwS~{D_e?%ZUW>X5UrwTrKn^00wC#FP zaup+V!=m?3Yz#5nld`AHv+l^_Iv@(TPxuVM=pi~p+Di2rJEJtr+byA&r@%saGe?qk zx2RN^HFwsTs{+}du37gGx>9SNB_c(WM$*xIP{;wpk_wGSyrx@u?YPgnDEXV~N>O

295KX z@1x=GE`Vgd%3q1+Ud{nsT)IzvZZ|Uguxsc>?Cyc(nKT9=$*O*+ejhkdX*uhn)56gp zOOoTYp~)EX0C=H53CG;&FXtQyQD8R=L16M5I82EL7XlRU|C}=*vWw(EWwVc(0u80i zc9bGP`&wqGXm*+NXalo^rsKb@gd$h3^rf;rGk%!wBq#x4rKC=sWAhA@AvL1FH3Beo zjizXZM!yD)<9nt9<9q(qs`Txd(04o8p?zC?Pi{>X2S`Z}-L}fo4Z%BRYC|d9SJVot zCs^97fc-I63Gw=FfoCDsqL6DjCkF87h@sJ?f%fpNaoCjhgb)NX8&dDnYCkaRZ}u00 zWk_-8$dWurq`^E^${qU?ObLqDv)*QhJ7=JvUS`)@#=4coc8F+Lk-MBYBiEw9DBRCH zxVIBTzfba2Gml^{qo0$n`Idf<;i1VX3$J#I&jU&j4HH+*n;bt}@kTT*+< zxnY+8_U*3L*Hs>#@t`R*E&+Nh7OB96_+%kXw#SdGVHS4Ldecuoxjen>E`j~kS`=$7 zVLF*IGw5d7Y-a;av~L_x_P1PpR{i2aW`*+N4D0JUR|?goO;H9}>{j|u6^I%d&=s-& z?l!%y_X^mp*H(}pBFTyqr4Zr&hGOqC0;p>Fph2uVX{ITP6X5NQ!P?{;D$vck z)4Q|LZe67@b>&T{aiX? z%f3-#Yep5qgKr)9Cfm~Hi zajjY2#5x~7YH}7U()B}}dbPnojQR&6YFt;#TCQEWnVL?x%khcc8ngz7vGvo2JIdb} zXaByDT>q#6IYP}>zbaSfYeJ?O@tA0m=d>9L>;#V8)LpCS{~Eumwps*IuqYc;PT}}t z9PyV?a&z=hQ^YgCknSD?m8q(mc%2+NyiBDp2w&otIx!QlBVJv;rrMdWJ-1oG{w`$W zybAQpsUbU%Tdoa+_lSWM(%-`kNl-A{P&CxAVZMCr@#11yMf~0AWSD3hNUvdY4S(hU z?Qll7FAB&OscL2YM=kxwwrxz`P+?a6WrkwO7-g&>&K$fnWT>|j&WwLQxO|esV-2)xL#uGF${(+=KT~ zIRb$OwPi$;QWAhk$!0h3r5r1n_4#3sg5163b`{i(3Eq7z{x$9en0+*&pNkUwO0S@_ zj|6u{PdTOz9d(Cij4|xLwLlVEsi9<Ez5<-rcY}7g`wf*&vBlkZddC0sN@N^?c6CXlc3eUqxSb8ZfRKLU2h<&P@Jg6 zCi?1+ody?ZUPZ!@TgpaL_zK&K_1MIp$M#hH6+s;7+6!$@J?HY6vK2Nt8{W%zo(=pg zMXtQogaLdVN?#$lx5v%;sd@YkQg>Q?P;in#B2_+iLpaS?9^byn*PC@hTnt79+thE( z8N!WE^Ur$9?LIi5C@FPB!reJ6j_)b@{TrhQ`5EuE1&N?N-OyDhZPDR*T`A0qh$^i@HJ~TtFqyUfA-l zXDArfTcblk7Pk{!jk?llVn0J4FKI!ex9d$!nF;!>(GdEA4qcF1te0yw6Zd9P-34Nv z=!$6EZ_QgZHGSlbj~F$no*B@dz^Gs@@!q5_nN6nA4495zCvAkVN9ntU*)zY=0+R8L zHdLK-i=5)BE-v9UKmnVu-9`GY(X)Nd;|h8}v}?S%Zi z*+bRu_ABz6Ls6%>xfRJUt^UBWJ-}@Zcqs8)ZJmo1&PlfK=06tKY^JUI@ETY<0~=WT zEIA02N{n2^R{&_g4mo4eHKoEe-+k0f;aChJjDH#{y9bY zDtwmEe8@%~V5hJY$J<*6>zMkk(JL~-erPf}BYx5?s>KY@Ho2oK7$g5PY+j!Qo?P+GR;W=zE#S zE*8xsjkjTQW%n>0JiP-e@i>{&&7AVW)y=%>vOAmiflD*LxYNz72G`AWr1|mdj#vh5 zXH}V?*2^rGVTli&FK+v$pIW}x%k*4nk9uR(fqiHFx6fAel%6aA()g#2@cR&RIx+db zZ`O0LF&Gq3Q?F%ba@M}hH#49qfMVgIWyp(s#t^3P=mmE`DdQtffd_AR-(k0_6Qk9l z@&BG^tTts{^77>tR8`>u=G=%Pinlz0$W5U?(@~u|u=f!RJtab^x2?qw>HcI$FPcTP z(<-Hro!<+^b`9|48zISF`_n4arBST*aA2B!-03D?f$JtaPJH=whdzV0Q~oE8`?RrmM@I!juuBwDjdF2Q*jfw&|EJ+|S;>)}5Vix#<(b_6Oq- zNCT(*Pja<6ZrypNY|ffF<<`28fJ~U9r)&>zi2=caL5IovU(D-la6pFS16vkcaa*F? z>b-7+#2q>)xm#TLZG_HRa_L>Qgiv8<+=>Q^{DD9&Z0izum366JD6=n`gu}@lUSAG4 zUfSuwnSPeL|+K1|0~ zr|NkzAAd|oq>-0Zj~hLiUw>ZwR`mB@tCNePVT5VJ_*5SV``oFhV2Vk7*YA#Et zv3YS}+}|Bqw9sP>+A~{$q`roICmrow&WAK?_W0-vi&B-8Cn(DmNTe%T<<#qMBXyC< z&{GuiYhROpIka=)4__BH1i_ZmE)X~Fs#B}O(8jx{ogE-hkZKHpz?$QtASA=^>p7&Z zGXgtVlndkiEg0VH2qgr#s)s7&oQw=HR`8}E&T!m%MSt2F^RHgPS@2tAxNlLU$w7qJtZ^Xo z)zkJUo(CYu3HDtm%vyhn1=VTu?WF6V{R3AeWAxeTY6k)_a?>(gafAEsS1m9h0v?1p zBrFf~v5#YjhBhm-(6(Z&7nd6G3DWgdg4Y>nb^l^+AxVZBLMpx$&!{S_g!9$LCcMK( zRPuz;-;l|=ua~V{^pL@$xIopZ2XJ5FiE58KQ21JR;qFV1b~Db@Hc`zki=YE-Y#(!M z_LNK_V(il<=ZM)Mc$71>pBv3msWHSKQaEVnJ+nsP1&rchgW9l*g++J}hjEh(5T&d7 zq^Nwwtfx0Iop!*BTJ%;7{#8=b?URo~mnjNW;c7u(%#R@_O>%1~zPfs@=;_y2rkphw zj2YPkV>{b~kFiz=i$3{Bj*#S2;5xS|W(7gyE4g;iLJu3Zr+<8$u4%2ln)fi&^i^wQ)K&?Vi*cyIapgmRpNLz%BjEGj2zrL$1iwgNh7mD zdDZ{d@-#HIH5eiF<}~D|A_4)PEu0EIN?HQW(&ee+&>p%2RFOByO)=jkB?37+d!q`OMWbkFre1I1FH$@1h~qx0y{Ib z^m6mbP?{QK7}XZ*LN~&=m{{DMjgeE-5np%k9w9C#2I>OQwoCD>dVQP> zN)Y@oYpK-pe#hoH7iDlSOBQjlNVLsQ#`B*u}9$s!;a9upzykYO?BO+#+c} zsXz4#r?vCZ|0+9A*F+7xcc{s+Pzmbn;^ctDaXrSe@@ZGLw_iHntL-5$KbAJ4=8cB{ zvSzWe?p&r_k;jHq1xKy%0_$;h!!uRsVx)6%F)!X->IKW@l5wWsDr=^)yQxsyi`#-r z1Q^jdz`#Z9Bsk{h#Ku*Tu+^5w+4etRYWh0bvPfb;GH?VCHs#lxI7f41Gen!VgReBYz$cH$|kpFpi5q1nx zF_X}!IAL5`W#sOA_fV(N$J)Sx%G*Q91rm$k^s&e!!Ou*JG5ZJyX35e|;rsm~&}BAn zllIe82geBI;K_0D+lrIwOXju%AfE#Bt-}i>H~2fcH}DS(?CRwn5G+FakHW3Hxh*+Z z=vvotcv4|w<4(nHIGDv*ZF3S{EMKpRcFCn+U`#V0?Q(DsJ&hsc0UM4i`|myGu-sl! zV^E`b0XH@|z_PdB-$}%%dGNUJ=f(fqzP^0c0r*s^O1|`c8N5jeqpduUkH4&&hd02V ztE_J!V@3qtLvz#Bu(EP;nQf{Zp4t4&cY(RF5kjEN+}r2yrr&C$?R`aVn`}6_%xB6$ z`t_cZ$DcXtFefp7IS~9E%#Qa^f?O85$GY=e3*BBw(vzb)u*YT4W06a{g}rG-LJ z@GYo}Kqs%q`_5IU;2ahF7LbN5>{9a?>*hV>DAv}L{~%s*JL7+WbiCIk9RRYH zEp>RSy6YP8Wc<`Y8@>GQu3b)UZwR+b-xld$CPuxdhG~zmKgZ90|2;j7yd#MNt!2#< z&kFRcz2M?wx1fNe0PnEdvvqo# zzhRSK66bTgsA=xQJNNh_#nVs{ZM=!{npN&jcN73)xi?8Xy8;8dOyvOq`>*+_@=Dcs zW^a*yVi5)uAYa(*yI+5N*u-&3Wmr*p^2(F7%#_cB4!^?`H9&m_#TTO&*Dc)?w3g286xW6iBURtAJ&kSYzw-vmzP~pvIBvGhPvHE% zh+ir5!_eN)G=Vma|6J5VT}DLHXSmJv>%S*!0Vfvhy&*909kcz>%CIDKPng z&x)`^QeRQnPB|8l_|hL4h?vest16=Jlknp9`>uSJAZgf9~N38Iq^3Rq1_-Bw#R;g}`o$tHp zqBYwq{10cz=Ap>a!n_AF>ZKY`>Wkcp(zKp;1^lXC03}eIn}N-$_V_Hw02(rw8f_|Y z`d#`P_NDnM)?)VlnY#{lgvlWk4L3Kh3VR%!t9Ac8zAS1VtpXG*lIA9WYF{$EYf5X# zAJ?GZdv&yG93en0Idgt+Lg!cs-2RSonh^sBHmN_*W zeCDc^b#FRllAJI3>NbgXZ(CP;_c&Hfh&Jgvt&zef0A@VjGpD@?yT{+ehib3ZS5#B0 z+Krln8I8D4yh&F-|oEo&ib_bKTC2lb9SYjRxO!S z_JLkQP8+r*jHy*+)4wzb;3-HzU zWl!JIUC|)+PzzdS7+B8wI}&y6$)W8+1zc4BTsBZ1ji`+_nH*|{SE{!j(MxoxTJIsrv-G9s?A4}?)IvB) zKAS^%xbsgkrziBT)-L0d!NIHj-I@J_mE(((@_y%FSB>6+@wDA z!*Le{f(rsliwa10cS(bS4rYO5$X9aqcr%*dzDo~ zKzch1MbOro1B`!jl7+v6j{=S@wB7DF@Od%YP6SCfq~3vB z`Z-^DfgPouW zpsVne>PwTGfF=}lrRvhh%AmZqi;^qC7!zFGW!fB7DHG$7%$(*|l^UGaxYE>x?YOWU zG+S|r?e*446xH7E?bK2&g3cW4gb43~c^y*W_w?l2EUM3oYGWfscGW6CHC>IGJ_qsp zgx|02aHFiEbA?>^mqtOAk;+(tI%3~_F9C(}io!Xl)Xm}#b8#3w^Ddb`#~14uIDBR$ zehj^Vb(}TqZsE#l(NhwC zHy$m20!Y#tgS4u!p~=t9c?u2b_Mj{GE>7d4Mq`Lx$v2{q>?&E~rf03ASk?p{IkkB3 zsTuB8dv0wswms>}WAr;Ka^8-Z3vifc#uw1T zuKl15Y_Y+FkqEFqM8_3O-Z;*I9Yd?k{$$F0E{AaL2d=$3Z~8h*`IS)Tlg9^xGwF2f z^g6o1Oe#z1g*RD}6Cn{zaoxbdP0gTTYj9b2#w+hpMI8@j8GD!9JC-5WJ#I8l(Kh~x z`xN`8Lz4Z#w!1W&MIhCo;mNK5{}M$7`4N>L%jfW9*d;F$P%+{%iLuQVcWspz6ncHv zfJb^lZl>D$c@|t$j^G!lKR7=cNhz(g+U0dVbuY`-;(xas$3mXzKH=1%44dZ$&bW=q zaRO&%AN>vg?eyusuIlq5Z2Uv>l%`;rGdq+xw9G4J+LBvw;chaBxURLK1qwl@8|oy| zszVn|=)`$)?m+^4<;}YoiHTend~+n!R_aBIyQ{1me<}Rt_|Hp?h8CfK|8?k;3FK<- zJt96nxvQagJUrk)xc8Ir=pc2FA9;Aw@5^A)Zlp7XD(4{9)a z`>1t2-)d94!TCx7yFs8mBFok;I9)tNfB97gI|B+S+nO4`lh)dnv8=zpZ`3PKl7YPO zIikkzAU&&vdpwg^#gvF9+hr^~rvNp%pU-`UB z4R3SM-Rnyw!JVjgmmTct#`~a8!7te~-le2YK9S^ln~LU=OpC0WuD*lV2$ zEC1{>>Q}D#pl)r)xek7mmp^2%;T)$KOxkH^Qa3reVALkTX=uMDo_QyaGWN63fU`)Rc$H6k`r38?H>3xax{y-Mu%uDpXSZ`MqQB1(fT0&2BI7BgLh7MqqxZQ^_0di-?YU+Z7 z(#B!DOc!?vDu{!QP{1A%F;QSR-^=~|TYss)>lU*Fay2`AENSE{zuIhm zz4q>0##{Eshx1z|TjA5o0+?ie(2gA zi8yv5JsNpzYJ#0m-M@uoc%E5t^NEgZ={DoIliaF^+==_ABIG8Ejmw7WDfT`gJxBAG zZwV-@11(Vzy_mt>5&jG;MzL&Q4;63}QJ(%FsB=YOj67OBK9QPclto`WD0V6@&QLay z$7W}$AnsSRBqnqCeNlz<%(*|#_2^KWL&~<&IXl5R1w-gqw#P56wkSsGkgPekW$+N; zIcamzZVWo{bXN`19d<0G1c$#J(EB;KiECxmyZk}J-8M46z$M`I=vR zQu7Nyk_}grx7UbUMZ75bu>YLf1MewK8MuLqiZ^5YM`~Pfp}}twFMLUAcXtznn!hbj z#~jN9zdP3>2`fuW9A%Nh)qPF7$_Q5P8A(=t_wbL%$)06pw)f?n;j2-7V@iGp+yE>n z={AmmgRe?z$kJ=!wQlQ0TLQqs`WWkznrVhS(Q@Z}e&+VqwqB9P&AHQ2rHgD$Lqv_r zBri91O$HcV{rO61l(J$_kd5OG+?(!wqTkCn*20up;>bW>WlAeh`r;QMM`bSF-T1UN zJA2$g1r8OjH2)KQ=YA12X=(6Pl473p_B_P-TmKz?@HUyjS%sTesdFy@XZ{{XbpD*H za1bwVJw);G)hR;^O+^H>oWn*ft>(c`+Nc(HlJR$UPNUt3qFdo0?YIM*7T$u|`h#HyBlmo~_M? zPZ;>8eZmXKZXzM1)bkQ-4KsdUI%?2F{(Ju)DHUaG{*-;`L1|rVL2WO`n;6&2M(>jS zl%F6Ms57U@S=#h(I&B*V@&QAfka|iyoQ!2$4VxL9di<3ObV)&EmHhon;)toYagV?z zQUxd-W|>EiEB#D+iJqjzvy7(hGgEdUUvozgd$2Uy445sO=LD7v&M6N+97}ASgf;3MZVGZJ3P!PObLKK^#!7SdBpkmfFWcVQ z#kZ3o)`7mwAI!ktRj$IVc;3$86DqN5Oc&lb<#*6(0|=#|1Rj^vkV0?blQgBdee-4r@+XIe(MIIgz7 zJ$G!lVqUIVSoxT?7k#n;CYKCO%u^w2ZtVs zCv2^Ac6v<7RdM8~YZr7|h*Ol|h2-AdQgFdEZGH>>j0nDU9KI>LRb-X5fC82x$J1r> zgBeF*U;FLDuGQ*BPy;5fXQ%8h#vB? zEVoo?dJ$=e0f@d*hP-CgmJs8db_3G!NbJF8P+F2bNG-{^LRlJ6l+dDo(43e5?l5c5 z@T!4*0yYzKQ7+%NLxfA-L-vlSz<>jLD6s9&L97^X_uWh*WN7ww`T#Q>h<&f;VHx8k zE5+Pm_`taV-+p6+Zx%e%y{Ze-8kF=ZzOt4}x4yHv{`&{tLbEYIA|ZXnM{ zk~&zGF)@oT-obF(C~i0ILB}oz7@v@GCUnfsubr8~n2yD*mLG?h{df1zqP=05(4mz^Za{qgymIeYJOi6zI6v;-A3rIk_;t^!nC+YubQwg%5Oox zGD5X{$5j|02>@T|G05XR*40;MhkCZFvrZLoy&UX*BJ>J7s1t|7WT5B+aC+X5i?sQX zL1(3cQkH53KcK%X>AM%VRcCRA(r*`$W|+h6N~nwL5tP+B@EqL)16QX!XcJ7NTUObS zOK^5oa5h9~UaQ`GNxar|-YN7Bo$I@eV_Z4PAS~<1zZJV?{}#E1*^@!!7_5{+mF=@5$^x! zAO={BPE$B<2_q`d&!t}XRCLU`f4cgd4~57tor8OcJ)iDTKb=sU?oFID4+sf?z!5Gd zqAeIvVJOjiD~8=J;;Wc0DQFozxE2%moV=#pDC}9_Pw00h)vUZnt$`cTy0Dn6Gw{Mu zJAMStRc53MN$86?cJ<`wEVpciaDDq8>(FEAr+HM>b&*qv2TvYulX%YQ6SJy9hOoQM zy_Ak}r1^ntBwX5Pk!Sj`+a4&QL6xv$Vzl?d!vJ(@EIT_Z4U|4nv*o>Vxuq?|Qbt{Fu-eA#Ti-qm>9eoCtrkdzQ;d76&oe_sE5 z_y}l>5ihaBunqAYXwB6oe!xu(0O6oLCwA=%O+Ipth6(rgU}9G~202yO{Io z;%*fI$Nj2XJp)HT`c0>ggwUv#u9z%7E!?3*i7aS(Sdhfl=^Lgql}4EGK|Mk#_V~d0 zLwHPhTN-|M7&_`aiZi|^0QV4x#dJ^I)TCt-PYEgkYbpF4-_D9cD(5TRzTo2mP~JK2 zTh)|qvgsLV%Zv7pB?580wx|MM)+v19XcmaB>K&?oxp&P$C=m{c>{Q&nW8u1Z)GF** zDEqto%RMK^2P!>(CO~pfwGjn^qOjK}CqLlIIVzklC9A%~h}fN#9^`<7<#KDFNsjkNHi`H%S%dTvs`!(JKO8rkq%y zj%i;M(WrM#WIAU;ooG4;--0S!u{DVttzExxX`$ZD737FZrLKeOv)W3uc;{1K;ZtzW zgOKFRjwRm#Pwu=S!W$tHc9bl&f~5_Gvc z(dk@ihNxhzwDuxg*eqKF0h@9(y7Odr=t7S_^K;TD$BrP6ROZtH+oN2BeM`+1kCB7Z zOFu&{CsD3@9#91|-3-FmVHV}x_RYJ6==6QmdnPT@dXDq`n5HA;(_^a=(`;+G5@8&- z`;lcN6(f^SabhmNRkEZ$^kdeexogEAE8UKg9PX5A9USM2ek1KdRJ9r&K?k$OjXbrN zl^Ovv?Tt(2Jo!q8vqpvOo_~`*Deb+y)IG9Ns>SmpM^)gaTz9t@5cp}b(-zuB^A^8z#o3J>BiPziC zR_xDDRUlHF9O?d^z1%Prf#tjt4-Y?z=Ju4+$`?$P5YyHCa zR=hECix0`%PdizxS~2Kd*lQ5K%=3 literal 0 HcmV?d00001 diff --git a/Solutions/Malware Protection Essentials/Package/createUiDefinition.json b/Solutions/Malware Protection Essentials/Package/createUiDefinition.json new file mode 100644 index 00000000000..561dbb2f22c --- /dev/null +++ b/Solutions/Malware Protection Essentials/Package/createUiDefinition.json @@ -0,0 +1,359 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Malware Protection Essentials](https://aka.ms/AboutASIM) is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. [Amazon Web Services](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-amazonwebservicesazure-sentinel-solution-amazonwebservices) \n 2. [Azure Firewall](https://portal.azure.com/#create/sentinel4azurefirewall.sentinel4azurefirewallsentinel4azurefirewall) \n 3. [Azure Network Security Groups](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-networksecuritygroupazure-sentinel-solution-networksecuritygroup) \n 4. [Check Point](https://portal.azure.com/#create/checkpoint.checkpoint-sentinel-solutionssentinel-1) \n 5. [Cisco ASA](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscoasaazure-sentinel-solution-ciscoasa) \n 6. [Cisco Meraki Security Events](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-ciscomerakiazure-sentinel-solution-ciscomeraki) \n 7. [Corelight](https://portal.azure.com/#create/corelightinc1584998267292.corelight-for-azure-sentinelcorelight-for-azure-sentinel-solution-template) \n 8. [Fortinet FortiGate](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-fortinetfortigateazure-sentinel-solution-fortinetfortigate) \n 9. [Microsoft Defender for IoT](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforotazure-sentinel-solution-unifiedmicrosoftsocforot) \n 10. [Microsoft Defender for Cloud](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-microsoftdefenderforcloudazure-sentinel-solution-microsoftdefenderforcloud) \n 11. [Microsoft Sysmon For Linux](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-sysmonforlinuxazure-sentinel-solution-sysmonforlinux) \n 12. [Windows Firewall](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-windowsfirewallazure-sentinel-solution-windowsfirewall) \n 13. [Palo Alto PANOS](https://portal.azure.com/#create/azuresentinel.azure-sentinel-solution-paloaltopanosazure-sentinel-solution-paloaltopanos) \n 14. [Vectra AI Stream](https://portal.azure.com/#create/vectraaiinc.vectra_sentinel_solutionvectra_sentinel_solutions) \n 15. [WatchGuard Firebox](https://portal.azure.com/#create/watchguard-technologies.watchguard_firebox_msswatchguard-sentinel-solution-plan) \n 16. [Zscaler Internet Access](https://portal.azure.com/#create/zscaler1579058425289.zscaler_internet_access_msszia_msentinel_v1) \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 6, **Hunting Queries:** 6, **Watchlists:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": null, + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": null + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "Detect Registry Run Key Creation/Modification", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "Detect Print Processors Registry Driver Key Creation/Modification", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "Process Creation with Suspicious CommandLine Arguments", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed." + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "Detect Malicious Usage of Recovery Tools to Delete Backup Files", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.\nhttps://attack.mitre.org/techniques/T1490/" + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "Detect Windows Update Disabled from Registry", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host." + } + } + ] + }, + { + "name": "analytic6", + "type": "Microsoft.Common.Section", + "label": "Detect Windows Allow Firewall Rule Addition/Modification", + "elements": [ + { + "name": "analytic6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host." + } + } + ] + } + ] + }, + { + "name": "huntingqueries", + "label": "Hunting Queries", + "bladeTitle": "Hunting Queries", + "elements": [ + { + "name": "huntingqueries-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. " + } + }, + { + "name": "huntingqueries-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/hunting" + } + } + }, + { + "name": "huntingquery1", + "type": "Microsoft.Common.Section", + "label": "Detect New Scheduled Task Creation that Run Executables From Non-Standard Location", + "elements": [ + { + "name": "huntingquery1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query identifies new scheduled task created, to run executables from uncommon location like temp folders. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackNotifications_CL CiscoSecureEndpoint_CL TMApexOneEvent Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery2", + "type": "Microsoft.Common.Section", + "label": "Detect File Creation in Startup Folder", + "elements": [ + { + "name": "huntingquery2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query detects when a file is created in the Startup folder. This is a common technique used by adversaries to maintain persistence on a system. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackNotifications_CL CiscoSecureEndpoint_CL TMApexOneEvent Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery3", + "type": "Microsoft.Common.Section", + "label": "Detect Files with Ramsomware Extensions", + "elements": [ + { + "name": "huntingquery3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query identifies cretion of files with ransomware extensions. Ransomware file extensions are defined in a watchlist named RansomwareFileExtensions. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackNotifications_CL CiscoSecureEndpoint_CL TMApexOneEvent Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery4", + "type": "Microsoft.Common.Section", + "label": "Detect New Scheduled Task Entry Creations", + "elements": [ + { + "name": "huntingquery4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query identifies new scheduled task entry creations. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackNotifications_CL CiscoSecureEndpoint_CL TMApexOneEvent Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery5", + "type": "Microsoft.Common.Section", + "label": "Detect Modification to System Files or Directories by User Accounts", + "elements": [ + { + "name": "huntingquery5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This hunting query searches for modifications to system files or directories by a non system account (User Account). This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackNotifications_CL CiscoSecureEndpoint_CL TMApexOneEvent Parser or Table)" + } + } + ] + }, + { + "name": "huntingquery6", + "type": "Microsoft.Common.Section", + "label": "Executable Files Created in Uncommon Locations", + "elements": [ + { + "name": "huntingquery6-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This analytic rule detects any executable file creation in uncommon locations like temproray folders. This could be an indication of a persistence or defese evasion attempt by an adversary. This hunting query depends on CrowdStrikeFalconEndpointProtection MicrosoftThreatProtection SentinelOne VMwareCarbonBlack CiscoSecureEndpoint TrendMicroApexOne data connector (CommonSecurityLog SecurityAlert SentinelOne_CL CarbonBlackNotifications_CL CiscoSecureEndpoint_CL TMApexOneEvent Parser or Table)" + } + } + ] + } + ] + }, + { + "name": "watchlists", + "label": "Watchlists", + "subLabel": { + "preValidation": "Configure the watchlists", + "postValidation": "Done" + }, + "bladeTitle": "Watchlists", + "elements": [ + { + "name": "watchlists-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Microsoft Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Microsoft Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. Once deployment is successful, the installed watchlists will be available in the Watchlists blade under 'My Watchlists'.", + "link": { + "label": "Learn more", + "uri": "https://aka.ms/sentinelwatchlists" + } + } + }, + { + "name": "watchlist1", + "type": "Microsoft.Common.Section", + "label": "Ransomware File Extensions", + "elements": [ + { + "name": "watchlist1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This watchlist contains a list of file extensions that are commonly used by ransomware. Add additional file extensions to this watchlist as required." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/Malware Protection Essentials/Package/mainTemplate.json b/Solutions/Malware Protection Essentials/Package/mainTemplate.json new file mode 100644 index 00000000000..a568b2606db --- /dev/null +++ b/Solutions/Malware Protection Essentials/Package/mainTemplate.json @@ -0,0 +1,2082 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "Microsoft - support@microsoft.com", + "comments": "Solution template for Malware Protection Essentials" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "watchlist1-id": { + "type": "string", + "defaultValue": "RansomwareFileExtensions", + "minLength": 1, + "metadata": { + "description": "Unique id for the watchlist" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": null, + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "email": "support@microsoft.com", + "_email": "[variables('email')]", + "_solutionName": "Malware Protection Essentials", + "_solutionVersion": "3.0.0", + "solutionId": "azuresentinel.azure-sentinel-solution-malwareprotection", + "_solutionId": "[variables('solutionId')]", + "analyticRuleVersion1": "1.0.0", + "analyticRulecontentId1": "dd041e4e-1ee2-41ec-ba4e-82a71d628260", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.0", + "analyticRulecontentId2": "7edde3d4-9859-4a00-b93c-b19ddda55320", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "analyticRuleVersion3": "1.0.0", + "analyticRulecontentId3": "fdbcc0eb-44fb-467e-a51d-a91df0780a81", + "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", + "analyticRuleVersion4": "1.0.0", + "analyticRulecontentId4": "259de2c1-c546-4c6d-a17c-df639722f4d7", + "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", + "analyticRuleVersion5": "1.0.0", + "analyticRulecontentId5": "f1443a87-78d5-40c3-b051-f468f0f2def0", + "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", + "analyticRuleVersion6": "1.0.0", + "analyticRulecontentId6": "056593d4-ca3b-47a7-be9d-d1d0884a1d36", + "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", + "huntingQueryVersion1": "1.0.0", + "huntingQuerycontentId1": "b43394b9-fa91-4d98-b331-619926a933bb", + "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", + "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", + "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", + "huntingQueryVersion2": "1.0.0", + "huntingQuerycontentId2": "64e199a8-b26c-462f-a65c-09ed9b53a47b", + "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", + "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", + "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", + "huntingQueryVersion3": "1.0.0", + "huntingQuerycontentId3": "595aea5c-74c7-415b-8b12-10af1a338cdf", + "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", + "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", + "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", + "huntingQueryVersion4": "1.0.0", + "huntingQuerycontentId4": "4dc0aae4-6375-4670-b138-8c42490ba206", + "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", + "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", + "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", + "huntingQueryVersion5": "1.0.0", + "huntingQuerycontentId5": "54b222c4-0149-421e-9d6d-da66da50495a", + "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", + "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", + "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", + "huntingQueryVersion6": "1.0.0", + "huntingQuerycontentId6": "ab8ddb26-050c-40aa-aaf0-bfb7e3eeb05f", + "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", + "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", + "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", + "Ransomware File Extensions": "Ransomware File Extensions", + "_Ransomware File Extensions": "[variables('Ransomware File Extensions')]", + "workbookVersion1": "", + "workbookContentId1": "", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "StartupRegistryModified_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This analytic rule detects any registry value or key creation in the registry run keys. This could be an indication of a persistence attempt by an adversary.", + "displayName": "Detect Registry Run Key Creation/Modification", + "enabled": false, + "query": "// List of startup registry keys to monitor\nlet startupRegistryList = dynamic([\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell',\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows'\n ]);\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\n| project\n TimeGenerated,\n DvcHostname,\n ActorUsername,\n ActorUsernameType,\n ActingProcessId,\n ActingProcessName,\n ActingProcessCommandLine,\n RegistryKey,\n RegistryValue,\n RegistryValueType,\n RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CrowdStrikeFalconEndpointProtection", + "dataTypes": [ + "CommonSecurityLog" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "SecurityAlert" + ] + }, + { + "connectorId": "SentinelOne", + "dataTypes": [ + "SentinelOne_CL" + ] + }, + { + "connectorId": "VMwareCarbonBlack", + "dataTypes": [ + "CarbonBlackNotifications_CL" + ] + }, + { + "connectorId": "CiscoSecureEndpoint", + "dataTypes": [ + "CiscoSecureEndpoint_CL" + ] + }, + { + "connectorId": "TrendMicroApexOne", + "dataTypes": [ + "TMApexOneEvent" + ] + } + ], + "tactics": [ + "Persistence", + "PrivilegeEscalation", + "DefenseEvasion" + ], + "techniques": [ + "T1547", + "T1112" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Username" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "ProcessId", + "columnName": "ActingProcessId" + }, + { + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" + } + ], + "entityType": "Process" + }, + { + "fieldMappings": [ + { + "identifier": "Hive", + "columnName": "RegHive" + }, + { + "identifier": "Key", + "columnName": "RegKey" + } + ], + "entityType": "RegistryKey" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "RegistryValue" + }, + { + "identifier": "Value", + "columnName": "RegistryValueData" + }, + { + "identifier": "ValueType", + "columnName": "RegistryValueType" + } + ], + "entityType": "RegistryValue" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry run key {{RegistryKey}}.", + "alertDisplayNameFormat": "Registry Run Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "Detect Registry Run Key Creation/Modification", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "PrintProcessersModified_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This analytic rule detects any registry value creation or modification of print processor registry Driver key. This will load the executable at startup with print spooler service. This could be an indication of a persistence attempt by an adversary.", + "displayName": "Detect Print Processors Registry Driver Key Creation/Modification", + "enabled": false, + "query": "// Print Processor Registry Key RegEx\nlet printProcessorRegistryRegEx = @'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\[A-Za-z0-9]*ControlSet[A-Za-z0-9]*\\\\Control\\\\Print\\\\Environments\\\\Windows\\s[A-Za-z0-9]+\\\\Print Processors\\\\[A-Za-z0-9]+\\\\Driver';\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated')\n| where RegistryKey matches regex printProcessorRegistryRegEx\n| project\n TimeGenerated,\n DvcHostname,\n ActorUsername,\n ActorUsernameType,\n ActingProcessId,\n ActingProcessName,\n ActingProcessCommandLine,\n RegistryKey,\n RegistryValue,\n RegistryValueType,\n RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CrowdStrikeFalconEndpointProtection", + "dataTypes": [ + "CommonSecurityLog" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "SecurityAlert" + ] + }, + { + "connectorId": "SentinelOne", + "dataTypes": [ + "SentinelOne_CL" + ] + }, + { + "connectorId": "VMwareCarbonBlack", + "dataTypes": [ + "CarbonBlackNotifications_CL" + ] + }, + { + "connectorId": "CiscoSecureEndpoint", + "dataTypes": [ + "CiscoSecureEndpoint_CL" + ] + }, + { + "connectorId": "TrendMicroApexOne", + "dataTypes": [ + "TMApexOneEvent" + ] + } + ], + "tactics": [ + "Persistence", + "PrivilegeEscalation" + ], + "techniques": [ + "T1547" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Username" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "ProcessId", + "columnName": "ActingProcessId" + }, + { + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" + } + ], + "entityType": "Process" + }, + { + "fieldMappings": [ + { + "identifier": "Hive", + "columnName": "RegHive" + }, + { + "identifier": "Key", + "columnName": "RegKey" + } + ], + "entityType": "RegistryKey" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "RegistryValue" + }, + { + "identifier": "Value", + "columnName": "RegistryValueData" + }, + { + "identifier": "ValueType", + "columnName": "RegistryValueType" + } + ], + "entityType": "RegistryValue" + } + ], + "eventGroupingSettings": { + "aggregationKind": "SingleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}.", + "alertDisplayNameFormat": "Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "Detect Print Processors Registry Driver Key Creation/Modification", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SuspiciousProcessCreation_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId3')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This analytic rule detects process creation events with base64 encoded command line arguments. This could be an indication of a malicious process being executed.", + "displayName": "Process Creation with Suspicious CommandLine Arguments", + "enabled": false, + "query": "_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\n| where strlen(CommandLineArgs) > 0\n| mv-apply CommandLineArgs on \n (\n where CommandLineArgs contains \"base64\"\n )\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CrowdStrikeFalconEndpointProtection", + "dataTypes": [ + "CommonSecurityLog" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "SecurityAlert" + ] + }, + { + "connectorId": "SentinelOne", + "dataTypes": [ + "SentinelOne_CL" + ] + }, + { + "connectorId": "VMwareCarbonBlack", + "dataTypes": [ + "CarbonBlackNotifications_CL" + ] + }, + { + "connectorId": "CiscoSecureEndpoint", + "dataTypes": [ + "CiscoSecureEndpoint_CL" + ] + }, + { + "connectorId": "TrendMicroApexOne", + "dataTypes": [ + "TMApexOneEvent" + ] + } + ], + "tactics": [ + "Execution", + "DefenseEvasion" + ], + "techniques": [ + "T1059", + "T1027" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "DvcHostname" + }, + { + "identifier": "DnsDomain", + "columnName": "DvcDomain" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "DvcIpAddr" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Username" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "ProcessId", + "columnName": "TargetProcessId" + }, + { + "identifier": "CommandLine", + "columnName": "CommandLine" + } + ], + "entityType": "Process" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created.", + "alertDisplayNameFormat": "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion3')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "Process Creation with Suspicious CommandLine Arguments", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "BackupDeletionDetected_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId4')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This analytic rule detects usage of recovery tools vssadmin, wbadmin, wmic and bcedit to delete backup files or change recovery configuration. Adversaries may use these tools to delete shadow copies and backup files to prevent recovery of files.\nhttps://attack.mitre.org/techniques/T1490/", + "displayName": "Detect Malicious Usage of Recovery Tools to Delete Backup Files", + "enabled": false, + "query": "_ASim_ProcessEvent\n| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\n| where CommandLine has_all ('delete', 'shadow')\n| union isfuzzy=True \n (_ASim_ProcessEvent\n | where TargetProcessFilename =~ 'bcedit.exe'\n | where CommandLine has_all ('/set', 'recoveryenabled no')\n )\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "High", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CrowdStrikeFalconEndpointProtection", + "dataTypes": [ + "CommonSecurityLog" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "SecurityAlert" + ] + }, + { + "connectorId": "SentinelOne", + "dataTypes": [ + "SentinelOne_CL" + ] + }, + { + "connectorId": "VMwareCarbonBlack", + "dataTypes": [ + "CarbonBlackNotifications_CL" + ] + }, + { + "connectorId": "CiscoSecureEndpoint", + "dataTypes": [ + "CiscoSecureEndpoint_CL" + ] + }, + { + "connectorId": "TrendMicroApexOne", + "dataTypes": [ + "TMApexOneEvent" + ] + } + ], + "tactics": [ + "Impact" + ], + "techniques": [ + "T1490" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "DvcHostname" + }, + { + "identifier": "DnsDomain", + "columnName": "DvcDomain" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "DvcIpAddr" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Username" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "ProcessId", + "columnName": "TargetProcessId" + }, + { + "identifier": "CommandLine", + "columnName": "CommandLine" + } + ], + "entityType": "Process" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.", + "alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Analytics Rule 4", + "parentId": "[variables('analyticRuleId4')]", + "contentId": "[variables('_analyticRulecontentId4')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion4')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId4')]", + "contentKind": "AnalyticsRule", + "displayName": "Detect Malicious Usage of Recovery Tools to Delete Backup Files", + "contentProductId": "[variables('_analyticRulecontentProductId4')]", + "id": "[variables('_analyticRulecontentProductId4')]", + "version": "[variables('analyticRuleVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "WindowsUpdateDisabled_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId5')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This analytic rule detects any registry value creation or modification of Windows Update registry keys to disable Windows Update. This could be an indication of defense evasion by an adversary on a compromised host.", + "displayName": "Detect Windows Update Disabled from Registry", + "enabled": false, + "query": "// List of Windows Firewall registry keys to monitor\nlet windowsUpdateRegistryList = dynamic([\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate',\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU'\n ]);\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \n| where RegistryKey has_any (windowsUpdateRegistryList) \n| where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1'\n| project\n TimeGenerated,\n DvcHostname,\n ActorUsername,\n ActorUsernameType,\n ActingProcessId,\n ActingProcessName,\n ActingProcessCommandLine,\n RegistryKey,\n RegistryValue,\n RegistryValueType,\n RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CrowdStrikeFalconEndpointProtection", + "dataTypes": [ + "CommonSecurityLog" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "SecurityAlert" + ] + }, + { + "connectorId": "SentinelOne", + "dataTypes": [ + "SentinelOne_CL" + ] + }, + { + "connectorId": "VMwareCarbonBlack", + "dataTypes": [ + "CarbonBlackNotifications_CL" + ] + }, + { + "connectorId": "CiscoSecureEndpoint", + "dataTypes": [ + "CiscoSecureEndpoint_CL" + ] + }, + { + "connectorId": "TrendMicroApexOne", + "dataTypes": [ + "TMApexOneEvent" + ] + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1562" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Username" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "ProcessId", + "columnName": "ActingProcessId" + }, + { + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" + } + ], + "entityType": "Process" + }, + { + "fieldMappings": [ + { + "identifier": "Hive", + "columnName": "RegHive" + }, + { + "identifier": "Key", + "columnName": "RegKey" + } + ], + "entityType": "RegistryKey" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "RegistryValue" + }, + { + "identifier": "Value", + "columnName": "RegistryValueData" + }, + { + "identifier": "ValueType", + "columnName": "RegistryValueType" + } + ], + "entityType": "RegistryValue" + } + ], + "eventGroupingSettings": { + "aggregationKind": "singleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "Windows Update Disabled from Registry {{RegKey}} on {{HostName}} by {{Username}}", + "alertDisplayNameFormat": "Windows Update Disabled from Registry on {{HostName}}" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Analytics Rule 5", + "parentId": "[variables('analyticRuleId5')]", + "contentId": "[variables('_analyticRulecontentId5')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion5')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId5')]", + "contentKind": "AnalyticsRule", + "displayName": "Detect Windows Update Disabled from Registry", + "contentProductId": "[variables('_analyticRulecontentProductId5')]", + "id": "[variables('_analyticRulecontentProductId5')]", + "version": "[variables('analyticRuleVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "WindowsAllowFirewallRuleAdded_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId6')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This analytic rule detects any registry value creation or modification of Windows firewall registry keys to allow network traffic. This could be an indication of defense evasion by an adversary to allow network traffic to/from a compromised host.", + "displayName": "Detect Windows Allow Firewall Rule Addition/Modification", + "enabled": false, + "query": "// List of Windows Firewall registry keys to monitor\nlet firewallRegistryList = dynamic([\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\n ]);\n_ASim_RegistryEvent\n| where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \n| where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\n| project\n TimeGenerated,\n DvcHostname,\n ActorUsername,\n ActorUsernameType,\n ActingProcessId,\n ActingProcessName,\n ActingProcessCommandLine,\n RegistryKey,\n RegistryValue,\n RegistryValueType,\n RegistryValueData\n| extend HostName = tostring(split(DvcHostname, '.')[0])\n| extend DnsDomain = tostring(strcat_array(array_slice(split(DvcHostname, '.'), 1, -1), '.'))\n| extend Username = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[1]), ActorUsername)\n| extend NTDomain = iff(tostring(ActorUsernameType) == 'Windows', tostring(split(ActorUsername, '\\\\')[0]), ActorUsername)\n| extend Username = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(ActorUsernameType) == 'UPN', tostring(split(ActorUsername, '@')[1]), '')\n| extend RegHive = tostring(split(RegistryKey, '\\\\')[0]), RegKey = tostring(strcat_array(array_slice(split(RegistryKey, '\\\\'), 1, -1), '\\\\')) \n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "connectorId": "CrowdStrikeFalconEndpointProtection", + "dataTypes": [ + "CommonSecurityLog" + ] + }, + { + "connectorId": "MicrosoftThreatProtection", + "dataTypes": [ + "SecurityAlert" + ] + }, + { + "connectorId": "SentinelOne", + "dataTypes": [ + "SentinelOne_CL" + ] + }, + { + "connectorId": "VMwareCarbonBlack", + "dataTypes": [ + "CarbonBlackNotifications_CL" + ] + }, + { + "connectorId": "CiscoSecureEndpoint", + "dataTypes": [ + "CiscoSecureEndpoint_CL" + ] + }, + { + "connectorId": "TrendMicroApexOne", + "dataTypes": [ + "TMApexOneEvent" + ] + } + ], + "tactics": [ + "DefenseEvasion" + ], + "techniques": [ + "T1562" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "HostName", + "columnName": "HostName" + }, + { + "identifier": "DnsDomain", + "columnName": "DnsDomain" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Host" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "Username" + }, + { + "identifier": "UPNSuffix", + "columnName": "UPNSuffix" + }, + { + "identifier": "NTDomain", + "columnName": "NTDomain" + } + ], + "entityType": "Account" + }, + { + "fieldMappings": [ + { + "identifier": "ProcessId", + "columnName": "ActingProcessId" + }, + { + "identifier": "CommandLine", + "columnName": "ActingProcessCommandLine" + } + ], + "entityType": "Process" + }, + { + "fieldMappings": [ + { + "identifier": "Hive", + "columnName": "RegHive" + }, + { + "identifier": "Key", + "columnName": "RegKey" + } + ], + "entityType": "RegistryKey" + }, + { + "fieldMappings": [ + { + "identifier": "Name", + "columnName": "RegistryValue" + }, + { + "identifier": "Value", + "columnName": "RegistryValueData" + }, + { + "identifier": "ValueType", + "columnName": "RegistryValueType" + } + ], + "entityType": "RegistryValue" + } + ], + "eventGroupingSettings": { + "aggregationKind": "singleAlert" + }, + "alertDetailsOverride": { + "alertDescriptionFormat": "An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}}.", + "alertDisplayNameFormat": "Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Analytics Rule 6", + "parentId": "[variables('analyticRuleId6')]", + "contentId": "[variables('_analyticRulecontentId6')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion6')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId6')]", + "contentKind": "AnalyticsRule", + "displayName": "Detect Windows Allow Firewall Rule Addition/Modification", + "contentProductId": "[variables('_analyticRulecontentProductId6')]", + "id": "[variables('_analyticRulecontentProductId6')]", + "version": "[variables('analyticRuleVersion6')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NewMaliciousScheduledTask_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Malware_Protection_Essentials_Hunting_Query_1", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Detect New Scheduled Task Creation that Run Executables From Non-Standard Location", + "category": "Hunting Queries", + "query": "// List of file locations to monitor\nlet fileLocations = dynamic([\n '\\\\Windows\\\\Temp\\\\',\n '\\\\AppData\\\\Local\\\\Temp\\\\',\n '\\\\Recycle Bin\\\\'\n ]);\n_ASim_ProcessEvent\n| where EventType == 'ProcessCreated'\n| where TargetProcessName has 'schtasks.exe' and TargetProcessCommandLine has_any (fileLocations)\n| project\n TimeGenerated,\n DvcHostname,\n DvcIpAddr,\n DvcDomain,\n TargetUsername,\n TargetUsernameType,\n TargetProcessName,\n TargetProcessId,\n CommandLine\n| extend Username = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[1]), TargetUsername)\n| extend NTDomain = iff(tostring(TargetUsernameType) == 'Windows', tostring(split(TargetUsername, '\\\\')[0]), TargetUsername)\n| extend Username = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[0]), Username)\n| extend UPNSuffix = iff(tostring(TargetUsernameType) == 'UPN', tostring(split(TargetUsername, '@')[1]), '')\n| extend Host_0_HostName = DvcHostname\n| extend Host_0_DnsDomain = DvcDomain\n| extend Host_0_NTDomain = NTDomain\n| extend IP_0_Address = DvcIpAddr\n| extend Account_0_Name = Username\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend Account_0_NTDomain = NTDomain\n| extend Process_0_ProcessId = TargetProcessId\n| extend Process_0_CommandLine = CommandLine\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This hunting query identifies new scheduled task created, to run executables from uncommon location like temp folders. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system." + }, + { + "name": "tactics", + "value": "Execution,PrivilegeEscalation,Persistence" + }, + { + "name": "techniques", + "value": "T1053" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Hunting Query 1", + "parentId": "[variables('huntingQueryId1')]", + "contentId": "[variables('_huntingQuerycontentId1')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion1')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId1')]", + "contentKind": "HuntingQuery", + "displayName": "Detect New Scheduled Task Creation that Run Executables From Non-Standard Location", + "contentProductId": "[variables('_huntingQuerycontentProductId1')]", + "id": "[variables('_huntingQuerycontentProductId1')]", + "version": "[variables('huntingQueryVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "FileCretaedInStartupFolder_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Malware_Protection_Essentials_Hunting_Query_2", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Detect File Creation in Startup Folder", + "category": "Hunting Queries", + "query": "// List of startup folders to monitor for Windows and Linux\nlet startupFolderList = dynamic([\n '\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\',\n '\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\',\n '/etc/init.d/',\n '/etc/rc.d/',\n '/etc/cron.d/'\n ]);\n_ASim_FileEvent\n| where EventType == 'FileCreated'\n| where FilePath has_any (startupFolderList)\n| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType\n| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)\n| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')\n| extend Username = iff(User contains '\\\\', tostring(split(User, '\\\\')[1]), Username)\n| extend NTDomain = iff(User contains '\\\\', tostring(split(User, '\\\\')[0]), '')\n| extend Host_0_HostName = DvcHostname\n| extend Host_0_DnsDomain = DvcDomain\n| extend Host_0_NTDomain = NTDomain\n| extend Account_0_Name = Username\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend Account_0_NTDomain = NTDomain\n| extend File_0_Name = FileName\n| extend File_0_Directory = FilePath\n| extend FileHash_0_Algorithm = HashType\n| extend FileHash_0_Value = Hash\n| extend Process_0_ProcessId = ActingProcessId\n| extend Process_0_CommandLine = CommandLine\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This hunting query detects when a file is created in the Startup folder. This is a common technique used by adversaries to maintain persistence on a system." + }, + { + "name": "tactics", + "value": "Persistence,PrivilegeEscalation,DefenseEvasion" + }, + { + "name": "techniques", + "value": "T1547,T1112" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Hunting Query 2", + "parentId": "[variables('huntingQueryId2')]", + "contentId": "[variables('_huntingQuerycontentId2')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion2')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId2')]", + "contentKind": "HuntingQuery", + "displayName": "Detect File Creation in Startup Folder", + "contentProductId": "[variables('_huntingQuerycontentProductId2')]", + "id": "[variables('_huntingQuerycontentProductId2')]", + "version": "[variables('huntingQueryVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "FilesWithRansomwareExtensions_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Malware_Protection_Essentials_Hunting_Query_3", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Detect Files with Ramsomware Extensions", + "category": "Hunting Queries", + "query": "// Get list of ransomware file extensions from watchlist RansomwareFileExtension\nlet RansomwareFileExtensions = _GetWatchlist('RansomwareFileExtensions') | where Enabled == 'Yes' | project FileExtension;\n_ASim_FileEvent\n| where EventType !in ('FileDeleted' , 'DeleteFile')\n| extend FileExtension = tostring(split(FileName, '.')[1])\n| where FileExtension in~ (RansomwareFileExtensions)\n| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType\n| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)\n| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')\n| extend Username = iff(User contains '\\\\', tostring(split(User, '\\\\')[1]), Username)\n| extend NTDomain = iff(User contains '\\\\', tostring(split(User, '\\\\')[0]), '')\n| extend Host_0_HostName = DvcHostname\n| extend Host_0_DnsDomain = DvcDomain\n| extend Host_0_NTDomain = NTDomain\n| extend Account_0_Name = Username\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend Account_0_NTDomain = NTDomain\n| extend File_0_Name = FileName\n| extend File_0_Directory = FilePath\n| extend FileHash_0_Algorithm = HashType\n| extend FileHash_0_Value = Hash\n| extend Process_0_ProcessId = ActingProcessId\n| extend Process_0_CommandLine = CommandLine\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This hunting query identifies cretion of files with ransomware extensions. Ransomware file extensions are defined in a watchlist named RansomwareFileExtensions." + }, + { + "name": "tactics", + "value": "Execution,Impact" + }, + { + "name": "techniques", + "value": "T1204,T1486" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Hunting Query 3", + "parentId": "[variables('huntingQueryId3')]", + "contentId": "[variables('_huntingQuerycontentId3')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion3')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId3')]", + "contentKind": "HuntingQuery", + "displayName": "Detect Files with Ramsomware Extensions", + "contentProductId": "[variables('_huntingQuerycontentProductId3')]", + "id": "[variables('_huntingQuerycontentProductId3')]", + "version": "[variables('huntingQueryVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NewScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Malware_Protection_Essentials_Hunting_Query_4", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Detect New Scheduled Task Entry Creations", + "category": "Hunting Queries", + "query": "_ASim_FileEvent\n| where EventType in ('FileCreated' , 'FileModified')\n| where FilePath has '\\\\Windows\\\\System32\\\\Tasks'\n| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated) by DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType\n| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)\n| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')\n| extend Username = iff(User contains '\\\\', tostring(split(User, '\\\\')[1]), Username)\n| extend NTDomain = iff(User contains '\\\\', tostring(split(User, '\\\\')[0]), '')\n| extend Host_0_HostName = DvcHostname\n| extend Host_0_DnsDomain = DvcDomain\n| extend Host_0_NTDomain = NTDomain\n| extend Account_0_Name = Username\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend Account_0_NTDomain = NTDomain\n| extend File_0_Name = FileName\n| extend File_0_Directory = FilePath\n| extend FileHash_0_Algorithm = HashType\n| extend FileHash_0_Value = Hash\n| extend Process_0_ProcessId = ActingProcessId\n| extend Process_0_CommandLine = CommandLine\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This hunting query identifies new scheduled task entry creations. Malware often creates scheduled tasks to execute malicious code and maintain persistence on a system." + }, + { + "name": "tactics", + "value": "Execution,PrivilegeEscalation,Persistence" + }, + { + "name": "techniques", + "value": "T1053" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Hunting Query 4", + "parentId": "[variables('huntingQueryId4')]", + "contentId": "[variables('_huntingQuerycontentId4')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion4')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId4')]", + "contentKind": "HuntingQuery", + "displayName": "Detect New Scheduled Task Entry Creations", + "contentProductId": "[variables('_huntingQuerycontentProductId4')]", + "id": "[variables('_huntingQuerycontentProductId4')]", + "version": "[variables('huntingQueryVersion4')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName5')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "SystemFilesModifiedByUser_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Malware_Protection_Essentials_Hunting_Query_5", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Detect Modification to System Files or Directories by User Accounts", + "category": "Hunting Queries", + "query": "// List of system file and directories to monitor\nlet systemFilesAndDirs = dynamic([\n \"\\\\Windows\\\\System32\", \n \"//etc\", \n \"//bin\", \n \"//root\", \n \"//lib\", \n \"//usr\", \n \"//dev\"\n]);\nlet systemUserTypes = dynamic([\n 'System',\n 'Service',\n 'Machine',\n 'Other'\n]);\n_ASim_FileEvent\n| where EventType in ('FileCreated' , 'FileModified')\n| where FilePath has_any (systemFilesAndDirs) and ActorUserType !in (systemUserTypes)\n| where isnotempty(ActorUserType)\n| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType\n| summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated) by DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType\n| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)\n| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')\n| extend Username = iff(User contains '\\\\', tostring(split(User, '\\\\')[1]), Username)\n| extend NTDomain = iff(User contains '\\\\', tostring(split(User, '\\\\')[0]), '')\n| extend Host_0_HostName = DvcHostname\n| extend Host_0_DnsDomain = DvcDomain\n| extend Host_0_NTDomain = NTDomain\n| extend Account_0_Name = Username\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend Account_0_NTDomain = NTDomain\n| extend File_0_Name = FileName\n| extend File_0_Directory = FilePath\n| extend FileHash_0_Algorithm = HashType\n| extend FileHash_0_Value = Hash\n| extend Process_0_ProcessId = ActingProcessId\n| extend Process_0_CommandLine = CommandLine\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This hunting query searches for modifications to system files or directories by a non system account (User Account)." + }, + { + "name": "tactics", + "value": "DefenseEvasion,Persistence,PrivilegeEscalation" + }, + { + "name": "techniques", + "value": "T1036,T1543" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Hunting Query 5", + "parentId": "[variables('huntingQueryId5')]", + "contentId": "[variables('_huntingQuerycontentId5')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion5')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId5')]", + "contentKind": "HuntingQuery", + "displayName": "Detect Modification to System Files or Directories by User Accounts", + "contentProductId": "[variables('_huntingQuerycontentProductId5')]", + "id": "[variables('_huntingQuerycontentProductId5')]", + "version": "[variables('huntingQueryVersion5')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('huntingQueryTemplateSpecName6')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "ExecutableInUncommonLocation_HuntingQueries Hunting Query with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('huntingQueryVersion6')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.OperationalInsights/savedSearches", + "apiVersion": "2022-10-01", + "name": "Malware_Protection_Essentials_Hunting_Query_6", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Executable Files Created in Uncommon Locations", + "category": "Hunting Queries", + "query": "// List of file extensions to monitor\nlet executableExtensions = dynamic(['exe', 'bat', 'cmd', 'vbs', 'ps1', 'psm1', 'wsf']);\n// List of file locations to monitor\nlet fileLocations = dynamic([\n '\\\\Windows\\\\System32\\\\',\n '\\\\Windows\\\\Temp\\\\',\n '\\\\AppData\\\\Local\\\\Temp\\\\',\n '\\\\Recycle Bin\\\\'\n ]);\n_ASim_FileEvent\n| where EventType == 'FileCreated'\n| extend FileExtension = tostring(split(FileName, '.')[1])\n| where FileExtension in~ (executableExtensions) and FilePath has_any (fileLocations)\n| project TimeGenerated, DvcHostname, DvcDomain, User, ActingProcessId, ActingProcessName, CommandLine, FileName, FilePath, Hash, HashType\n| extend Username = iff(User contains '@', tostring(split(User, '@')[0]), User)\n| extend UPNSuffix = iff(User contains '@', tostring(split(User, '@')[1]), '')\n| extend Username = iff(User contains '\\\\', tostring(split(User, '\\\\')[1]), Username)\n| extend NTDomain = iff(User contains '\\\\', tostring(split(User, '\\\\')[0]), '')\n| extend Host_0_HostName = DvcHostname\n| extend Host_0_DnsDomain = DvcDomain\n| extend Host_0_NTDomain = NTDomain\n| extend Account_0_Name = Username\n| extend Account_0_UPNSuffix = UPNSuffix\n| extend Account_0_NTDomain = NTDomain\n| extend File_0_Name = FileName\n| extend File_0_Directory = FilePath\n| extend FileHash_0_Algorithm = HashType\n| extend FileHash_0_Value = Hash\n| extend Process_0_ProcessId = ActingProcessId\n| extend Process_0_CommandLine = CommandLine\n", + "version": 2, + "tags": [ + { + "name": "description", + "value": "This analytic rule detects any executable file creation in uncommon locations like temproray folders. This could be an indication of a persistence or defese evasion attempt by an adversary." + }, + { + "name": "tactics", + "value": "Persistence,PrivilegeEscalation,DefenseEvasion" + }, + { + "name": "techniques", + "value": "T1037,T1547,T1564" + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "properties": { + "description": "Malware Protection Essentials Hunting Query 6", + "parentId": "[variables('huntingQueryId6')]", + "contentId": "[variables('_huntingQuerycontentId6')]", + "kind": "HuntingQuery", + "version": "[variables('huntingQueryVersion6')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_huntingQuerycontentId6')]", + "contentKind": "HuntingQuery", + "displayName": "Executable Files Created in Uncommon Locations", + "contentProductId": "[variables('_huntingQuerycontentProductId6')]", + "id": "[variables('_huntingQuerycontentProductId6')]", + "version": "[variables('huntingQueryVersion6')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist1-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "Ransomware File Extensions", + "source": "RansomwareFileExtensions.csv", + "description": "This watchlist provides a catalog of known ransomware-related file extensions.", + "provider": "Microsoft", + "isDeleted": false, + "watchlistAlias": "RansomwareFileExtensions", + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "FileExtension", + "rawContent": "FileExtension,Description,Enabled\r\n_AiraCropEncrypted,AiraCrop Ransomware affecte file,Yes\r\n1cbu1,Princess Locker ransomware affected file,Yes\r\n1txt,Enigma ransomware affected file,Yes\r\n73i87A,Xorist Ransomware affected data,Yes\r\na5zfn,Alma Locker ransomware affected data,Yes\r\naaa,TeslaCrypt ransomware encrypted data,No\r\nabc,TeslaCrypt ransomware encrypted data,Yes\r\nadk,Angry Duck ransomware affected file,Yes\r\naesir,Locky ransomware affected file,Yes\r\nalcatraz,Alcatraz Locker ransomware affected file,Yes\r\nangelamerkel,Angela Merkel ransomware affected file,Yes\r\nAngleWare,HiddenTear/MafiaWare (variant) ransomware affected file,Yes\r\nantihacker2017,Xorist (variant) Ransomware affected file,Yes\r\natlas,Atlas ransomware affected file,Yes\r\naxx,AxCrypt encrypted data,Yes\r\nBarRax,BarRax (HiddenTear variant) ransomware affected file,Yes\r\nbin,Alpha/Alfa ransomware affected data,No\r\nbitstak,Bitstak ransomware affected data,Yes\r\nbraincrypt,Braincrypt ransomware affected file,Yes\r\nbreaking_bad,Files1147@gmail(.)com ransomware affected data,Yes\r\nbript,BadEncriptor ransomware affected file,Yes\r\nbtc,Jigsaw Ransomware affected data,Yes\r\nccc,TeslaCrypt or Cryptowall encrypted data,No\r\nCCCRRRPPP,Unlock92 ransomware affected data,Yes\r\ncerber,Cerber ransomware affected data,Yes\r\ncerber2,Cerber 2 ransomware affected file,Yes\r\ncerber3,Cerber 3 ransomware affected data,Yes\r\ncoded,Anubis ransomware affected file,Yes\r\ncomrade,Comrade ransomware affected file,Yes\r\nconficker,Conficker ransomware affected file,Yes\r\ncoverton,Coverton ransomware affected data,Yes\r\ncovid19,Phishing / ransomware file,Yes\r\ncovid-19,Phishing / ransomware file,Yes\r\ncrab,GandCrab ransomware affected data,Yes\r\ncrinf,DecryptorMax or CryptInfinite ransomware affected data,Yes\r\ncrjoker,CryptoJoker ransomware affected data,Yes\r\ncrptrgr,CryptoRoger ransomware affected data,Yes\r\ncry,CryLocker ransomware affected data,Yes\r\ncryeye,DoubleLocker ransomware affected data,Yes\r\ncryp1,CryptXXX ransomware affected data,Yes\r\ncrypt,Scatter ransomware affected data,Yes\r\ncrypte,Jigsaw (variant) ransomware affected file,Yes\r\ncrypted,Nemucod ransomware affected file,Yes\r\ncryptolocker,CryptoLocker encrypted file,Yes\r\ncryptowall,Encrypted file by Cryptowall ransomware,Yes\r\ncrypz,CryptXXX ransomware affected data,Yes\r\nczvxce,Coverton ransomware affected file,Yes\r\nd4nk,PyL33T ransomware affected file,Yes\r\ndale,Chip ransomware affected file,Yes\r\ndamage,Damage ransomware affected file,Yes\r\ndarkness,Rakhni ransomware affected data,Yes\r\ndCrypt,DummyLocker ransomware affected file,Yes\r\ndeadbolt,Deadbolt ransomware affected file,Yes\r\ndecrypt2017,Globe 3 ransomware affected file,Yes\r\nderp,Derp ransomware renamed file,Yes\r\nDexter,Troldesh (variant) ransomware affected file,Yes\r\ndharma,CrySiS ransomware affected file,Yes\r\ndll,FSociety ransomware affected file,No\r\ndxxd,DXXD ransomware affected file,Yes\r\necc,Cryptolocker or TeslaCrypt virus encrypted file,Yes\r\nedgel,EdgeLocker ransomware affected file,Yes\r\nenc,TorrentLocker ransomware affected file,No\r\nenc,Cryptorium ransomware affected file,No\r\nenciphered,Malware (ransomware) encoded data,Yes\r\nEnCiPhErEd,Xorist Ransomware affected data,Yes\r\nencr,FileLocker ransomware affected file,Yes\r\nencrypt,Alpha ransomware affected data,Yes\r\nencrypted,Various ransomware affected file,Yes\r\nencrypted,Donald Trump ransomware affected file,Yes\r\nencrypted,KeRanger OS X ransomware affected file,Yes\r\nenigma,Coverton ransomware affected data,Yes\r\nevillock,Evil-JS (variant) ransomware affected file,Yes\r\nexotic,Exotic ransomware affected file,Yes\r\nexx,Alpha Crypt encrypted data,Yes\r\nezz,Alpha Crypt virus encrypted data,Yes\r\nfantom,Fantom ransomware affected data,Yes\r\nfile0locked,Evil ransomware affected file,Yes\r\nfucked,Manifestus ransomware affected file,Yes\r\nfun,Jigsaw Ransomware affected data,Yes\r\nfun,Jigsaw (variant) ransomware affected file,Yes\r\ngefickt,Jigsaw (variant) ransomware affected file,Yes\r\nglobe,Globe ransomware affected file,Yes\r\ngood,Scatter ransomware affected data,Yes\r\ngrt,Karmen HiddenTear (variant) ransomware affected file,Yes\r\nha3,El-Polocker affected file,Yes\r\nhelpmeencedfiles,Samas/SamSam ransomware affected file,Yes\r\nherbst,Herbst ransomware affacted data,Yes\r\nhnumkhotep,Globe 3 ransomware affected file,Yes\r\nhush,Jigsaw ransomware affected file,Yes\r\nifuckedyou,SerbRansom ransomware affected file,Yes\r\ninfo,PizzaCrypts Ransomware affected data,Yes\r\nkernel_complete,KeRanger OS X ransomware data,Yes\r\nkernel_pid,KeRanger OS X ransomware data,Yes\r\nkernel_time,KeRanger OS X ransomware,Yes\r\nkeybtc@inbox_com,KeyBTC ransomware affected data,Yes\r\nkimcilware,KimcilWare ransomware affected data,Yes\r\nkkk,Jigsaw Ransomware affected data,Yes\r\nkostya,Kostya ransomware affected file,Yes\r\nkrab,GandCrab v4 ransomware affected data,Yes\r\nkraken,Rakhni ransomware affected file,Yes\r\nkratos,KratosCrypt ransomware affected data,Yes\r\nkyra,Globe ransomware affected file,Yes\r\nlcked,Jigsaw (variant) ransomware affected file,Yes\r\nLeChiffre,LeChiffre ransomware affected data,Yes\r\nlegion,Legion ransomware affected data,Yes\r\nlesli,CryptoMix ransomware affected file,Yes\r\nlock93,Lock93 ransomware affected file,Yes\r\nlocked,Various ransomware affected data,Yes\r\nlocklock,LockLock ransomware affected data,Yes\r\nlocky,Locky ransomware affected data,Yes\r\nlol!,GPCode ransomware affected data,Yes\r\nloli,LOLI RanSomeWare ransomware affected file,Yes\r\nlovewindows,Globe (variant) ransomware affected file,Yes\r\nmadebyadam,Roga ransomware affected file,Yes\r\nmagic,Magic ransomware affected data,Yes\r\nmaya,HiddenTear (variant) ransomware affected file,Yes\r\nMERRY,Merry X-Mas ransomware affected file,Yes\r\nmicro,TeslaCrypt 3.0 ransomware encrypted data,Yes\r\nmole,CryptoMix (variant) ransomware affected data,Yes\r\nmp3,TeslaCrypt 3.0 ransomware encrypted data,No\r\nMRCR1,Merry X-Mas ransomware affected file,Yes\r\nnoproblemwedecfiles​,Samas/SamSam ransomware affected file,Yes\r\nnuclear55,Nuke ransomware affected file,Yes\r\nodcodc,ODCODC ransomware affected file,Yes\r\nodin,Locky ransomware affected file,Yes\r\nonion,Dharma ransomware affected data,Yes\r\noops,Marlboro ransomware affected file,Yes\r\nosiris,Locky (variant) ransomware affected data,Yes\r\np5tkjw,Xorist Ransomware affected data,Yes\r\npadcrypt,PadCrypt ransomware affected data,Yes\r\npaym,Jigsaw Ransomware affected data,Yes\r\npaymrss,Jigsaw Ransomware affected file,Yes\r\npayms,Jigsaw Ransomware affected file,Yes\r\npaymst,Jigsaw Ransomware affected file,Yes\r\npaymts,Jigsaw Ransomware affected file,Yes\r\npayrms,Jigsaw Ransomware affected file,Yes\r\npays,Jigsaw Ransomware affected data,Yes\r\npdcr,PadCrypt Ransomware script,Yes\r\npec,PEC 2017 ransomware affected file,Yes\r\nPEGS1,Merry X-Mas ransomware affected file,Yes\r\nperl,Bart ransomware affected file,Yes\r\nPoAr2w,Xorist Ransomware affected file,Yes\r\npotato,Potato ransomware affected file,Yes\r\npowerfulldecrypt,Samas/SamSam ransomware affected file,Yes\r\npubg,PUBG ransomware affected data,Yes\r\npurge,Globe ransomware affected file,Yes\r\npzdc,Scatter ransomware affected data,Yes\r\nR16m01d05,Ransomware affected data,Yes\r\nr5a,7ev3n ransomware affected file,Yes\r\nraid10,Globe [variant] ransomware affected file,Yes\r\nRARE1,Merry X-Mas ransomware affected file,Yes\r\nrazy,Razy ransomware affected data,Yes\r\nrdm,Radamant ransomware affected file,Yes\r\nrealfs0ciety@sigaint.org.fs0ciety,Fsociety ransomware affected file,Yes\r\nreco,STOP/DJVU ransomware file,Yes\r\nrekt,HiddenTear (variant) ransomware affected file,Yes\r\nrekt,RektLocker ransomware affected data,Yes\r\nremk,STOP Ransomware variant,Yes\r\nrip,KillLocker ransomware affected file,Yes\r\nRMCM1,Merry X-Mas ransomware affected file,Yes\r\nrmd,Zeta ransomware affected file,Yes\r\nrnsmwr,Gremit ransomware affected file,Yes\r\nrokku,Rokku ransomware affected data,Yes\r\nrrk,Radamant v2 ransomware affected file,Yes\r\nruby,Ruby ransomware affected file,Yes\r\nsage,Sage ransomware affected data,Yes\r\nSecureCrypted,Apocalypse ransomware affected file,Yes\r\nserp,Serpent (variant) ransomware affected file,Yes\r\nserpent,Serpent ransomware affected file,Yes\r\nsexy,PayDay ransomware affected files,Yes\r\nshit,Locky ransomware affected file,Yes\r\nspora,Spora ransomware affected file,Yes\r\nstn,Satan ransomware affected file,Yes\r\nsurprise,Surprise ransomware affected data,Yes\r\nszf,SZFLocker ransomware affected data,Yes\r\ntheworldisyours,Samas/SamSam ransomware affected file,Yes\r\nthor,Locky ransomware affected file,Yes\r\nttt,TeslaCrypt 3.0 ransomware encrypted data,Yes\r\nunavailable,Al-Namrood ransomware affected file,Yes\r\nvbransom,VBRansom 7 ransomware affected file,Yes\r\nvenusf,Venus Locker ransomware affected file,Yes\r\nVforVendetta,Samsam (variant) ransomware affected file,Yes\r\nvindows,Vindows Locker ransomware affected file,Yes\r\nvvv,TeslaCrypt 3.0 ransomware encrypted data,Yes\r\nvxlock,vxLock ransomware affected file,Yes\r\nwallet,Globe 3 (variant) ransomware affected file,Yes\r\nwcry,WannaCry ransomware affected file,Yes\r\nwflx,WildFire ransomware affected file,Yes\r\nWhereisyourfiles,Samas/SamSam ransomware affected file,Yes\r\nwindows10,Shade ransomware affected data,Yes\r\nwncry,Wana Decrypt0r 2.0 ransomware affected data,Yes\r\nxxx,TeslaCrypt 3.0 ransomware encrypted file,Yes\r\nxxx,help_dcfile ransomware affected file,Yes\r\nxyz,TeslaCrypt ransomware encrypted data,No\r\nytbl,Troldesh (variant) ransomware affected file,Yes\r\nzcrypt,ZCRYPT ransomware affected data,Yes\r\nzepto,Locky ransomware affected data,Yes\r\nzorro,Zorro ransomware affected file,Yes\r\nzyklon,ZYKLON ransomware affected data,Yes\r\nzzz,TeslaCrypt ransomware encrypted data,Yes\r\nzzzzz,Locky ransomware affected file,Yes\r\n" + }, + "apiVersion": "2022-11-01" + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "MalwareProtectionEssentialsWorkbookWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "" + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Malware Protection Essentials (Preview)\\n---\\n\\nThis wokbook provide details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.\\n\\n\\n\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"c470616d-5af0-483a-a595-28a684d878a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"f0450560-ef16-4aa9-a3ad-7485dd909587\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[{ \\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\"},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\", \\\"selected\\\":true }]\",\"label\":\"Show Help\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"\\r\\n|File|Process|Registry|\\r\\n|------|-------|----|\\r\\n|Files Created in Startup Folders|List of Suspicious Processes Created with Base64 CommandLine Argumnet|Startup Registry Creation/Moification|\\r\\n|Top 10 Hosts where Files Created in Startup Folders|Top 10 Devices with Suspicious Process|Top 10 Devices with Most Startup Registry Modification|\\r\\n|Top 10 Accounts to Create Files in Startup Folders|Top 10 Processes with Suspicious CommandLine|Top 10 Users with Most Startup Registry Modification|\\r\\n|List of Scheduled Task Created with Encoded Command|List of Backup Deletion Acitivties using LOL Binaries|Windows Update Disabled Devices|\\r\\n|Top 10 Processes Creating Scheduled Task with Encoded Command|Top 10 Devices with Most Backup Deletion Activity|Windows Firewall Allow Rule Addition Events|\\r\\n|Top 10 Users Creating Scheduled Task with Encoded Command|List of Processes Started from Unusual Locations|Top 10 Devices with Most Windows Firewall Allow Rule Addition|\\r\\n||Top 10 Devices where Processes Started from Unusual Locations|Top 10 Users to add Windows Firewall Allow Rule|\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 8\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"3d902e84-3e5b-4631-85d1-c229ec2abf75\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"File Activity\",\"subTarget\":\"File\",\"style\":\"link\"},{\"id\":\"bbc20288-b398-4f63-b7a9-e3830213bb34\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Process Activity\",\"subTarget\":\"Process\",\"style\":\"link\"},{\"id\":\"edab4a44-8ca3-4ba1-bede-4186f4376d28\",\"cellValue\":\"selectedTab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Registry Activity\",\"subTarget\":\"Registry\",\"style\":\"link\"}]},\"name\":\"links - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let startupRegistryList = dynamic([\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServicesOnce',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServicesOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServices',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServices',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows'\\r\\n ]);\\r\\n _ASim_RegistryEvent\\r\\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n ActorUsername,\\r\\n ActorUsernameType,\\r\\n ActingProcessId,\\r\\n ActingProcessName,\\r\\n ActingProcessCommandLine,\\r\\n RegistryKey,\\r\\n RegistryValue,\\r\\n RegistryValueType,\\r\\n RegistryValueData\",\"size\":0,\"title\":\"Startup Registry Creation/Moification {TimeRange}\",\"noDataMessage\":\"No Data for given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"name\":\"RegistryActivity-Startup1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let startupRegistryList = dynamic([\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServicesOnce',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServicesOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServices',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServices',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows'\\r\\n ]);\\r\\n _ASim_RegistryEvent\\r\\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n ActorUsername,\\r\\n ActorUsernameType,\\r\\n ActingProcessId,\\r\\n ActingProcessName,\\r\\n ActingProcessCommandLine,\\r\\n RegistryKey,\\r\\n RegistryValue,\\r\\n RegistryValueType,\\r\\n RegistryValueData\\r\\n| summarize Count=count() by DvcHostname\\r\\n| take 10\",\"size\":0,\"title\":\"Top 10 Devices with Most Startup Registry Modification {TimeRange}\",\"noDataMessage\":\"No Data for given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"RegistryActivity-Startup2\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let startupRegistryList = dynamic([\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Run',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunOnceEx',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServicesOnce',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServicesOnce',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServices',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\RunServices',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\CurrentVersion\\\\\\\\Policies\\\\\\\\Explorer\\\\\\\\Run',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Userinit',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Winlogon\\\\\\\\Shell',\\r\\n 'HKEY_CURRENT_USER\\\\\\\\Software\\\\\\\\Microsoft\\\\\\\\Windows NT\\\\\\\\CurrentVersion\\\\\\\\Windows',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Microsoft\\\\\\\\Windows Advanced Threat Protection'\\r\\n ]);\\r\\n _ASim_RegistryEvent\\r\\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n ActorUsername,\\r\\n ActorUsernameType,\\r\\n ActingProcessId,\\r\\n ActingProcessName,\\r\\n ActingProcessCommandLine,\\r\\n RegistryKey,\\r\\n RegistryValue,\\r\\n RegistryValueType,\\r\\n RegistryValueData\\r\\n| summarize Count=count() by ActorUsername\\r\\n| take 10\",\"size\":0,\"title\":\"Top 10 Users with Most Startup Registry Modification {TimeRange}\",\"noDataMessage\":\"No Data for given TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"RegistryActivity-Startup3\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" let windowsUpdateRegistryList = dynamic([\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\WindowsUpdate',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\Software\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\WindowsUpdate\\\\\\\\AU'\\r\\n ]);\\r\\n _ASim_RegistryEvent\\r\\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \\r\\n | where RegistryKey has_any (windowsUpdateRegistryList) \\r\\n | where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1'\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n ActorUsername,\\r\\n ActorUsernameType,\\r\\n ActingProcessId,\\r\\n ActingProcessName,\\r\\n ActingProcessCommandLine,\\r\\n RegistryKey,\\r\\n RegistryValue,\\r\\n RegistryValueType,\\r\\n RegistryValueData\",\"size\":0,\"title\":\"Windows Update Disabled Devices {TimeRange}\",\"noDataMessage\":\"No Data for given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"RegistryActivity-WindowsUpdate1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" let firewallRegistryList = dynamic([\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Parameters\\\\\\\\FirewallPolicy\\\\\\\\RestrictedServices\\\\\\\\Static\\\\\\\\System',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Parameters\\\\\\\\FirewallPolicy\\\\\\\\RestrictedServices\\\\\\\\Configurable\\\\\\\\System',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Defaults\\\\\\\\FirewallPolicy\\\\\\\\FirewallRules',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\WindowsFirewall'\\r\\n ]);\\r\\n _ASim_RegistryEvent\\r\\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \\r\\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n ActorUsername,\\r\\n ActorUsernameType,\\r\\n ActingProcessId,\\r\\n ActingProcessName,\\r\\n ActingProcessCommandLine,\\r\\n RegistryKey,\\r\\n RegistryValue,\\r\\n RegistryValueType,\\r\\n RegistryValueData\",\"size\":0,\"title\":\"Windows Firewall Allow Rule Addition Events {TimeRange}\",\"noDataMessage\":\"No Data for given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"RegistryActivity-WindowsFirewall1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" let firewallRegistryList = dynamic([\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Parameters\\\\\\\\FirewallPolicy\\\\\\\\RestrictedServices\\\\\\\\Static\\\\\\\\System',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Parameters\\\\\\\\FirewallPolicy\\\\\\\\RestrictedServices\\\\\\\\Configurable\\\\\\\\System',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Defaults\\\\\\\\FirewallPolicy\\\\\\\\FirewallRules',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\WindowsFirewall'\\r\\n ]);\\r\\n _ASim_RegistryEvent\\r\\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \\r\\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n ActorUsername,\\r\\n ActorUsernameType,\\r\\n ActingProcessId,\\r\\n ActingProcessName,\\r\\n ActingProcessCommandLine,\\r\\n RegistryKey,\\r\\n RegistryValue,\\r\\n RegistryValueType,\\r\\n RegistryValueData\\r\\n| summarize Count=count() by DvcHostname\\r\\n| take 10\",\"size\":0,\"title\":\"Top 10 Devices with Most Windows Firewall Allow Rule Addition {TimeRange}\",\"noDataMessage\":\"No Data for given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"RegistryActivity-WindowsFirewall2\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" let firewallRegistryList = dynamic([\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Parameters\\\\\\\\FirewallPolicy\\\\\\\\RestrictedServices\\\\\\\\Static\\\\\\\\System',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Parameters\\\\\\\\FirewallPolicy\\\\\\\\RestrictedServices\\\\\\\\Configurable\\\\\\\\System',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SYSTEM\\\\\\\\CurrentControlSet\\\\\\\\Services\\\\\\\\SharedAccess\\\\\\\\Defaults\\\\\\\\FirewallPolicy\\\\\\\\FirewallRules',\\r\\n 'HKEY_LOCAL_MACHINE\\\\\\\\SOFTWARE\\\\\\\\Policies\\\\\\\\Microsoft\\\\\\\\WindowsFirewall'\\r\\n ]);\\r\\n _ASim_RegistryEvent\\r\\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \\r\\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n ActorUsername,\\r\\n ActorUsernameType,\\r\\n ActingProcessId,\\r\\n ActingProcessName,\\r\\n ActingProcessCommandLine,\\r\\n RegistryKey,\\r\\n RegistryValue,\\r\\n RegistryValueType,\\r\\n RegistryValueData\\r\\n| summarize Count=count() by ActorUsername\\r\\n| take 10\",\"size\":0,\"title\":\"Top 10 Users to add Windows Firewall Allow Rule {TimeRange}\",\"noDataMessage\":\"No Data for given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"RegistryActivity-WindowsFirewall2 - Copy\",\"styleSettings\":{\"maxWidth\":\"50%\"}}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Registry\"},\"name\":\"groupRegistry\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_ASim_ProcessEvent\\r\\n | where EventType == 'ProcessCreated'\\r\\n | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \\\" \\\"), 1, -1))\\r\\n | where strlen(CommandLineArgs) > 0\\r\\n | mv-apply CommandLineArgs on \\r\\n (\\r\\n where CommandLineArgs contains \\\"base64\\\"\\r\\n )\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n DvcIpAddr,\\r\\n DvcDomain,\\r\\n TargetUsername,\\r\\n TargetProcessName,\\r\\n CommandLine\",\"size\":0,\"title\":\"List of Suspicious Processes Created with Base64 CommandLine Argumnet {TimeRange}\",\"noDataMessage\":\"No Data for this Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"ProcessActivity-SuspiciousProcess1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_ASim_ProcessEvent\\r\\n| where EventType == 'ProcessCreated'\\r\\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \\\" \\\"), 1, -1))\\r\\n| where strlen(CommandLineArgs) > 0\\r\\n| mv-apply CommandLineArgs on \\r\\n (\\r\\n where CommandLineArgs contains \\\"base64\\\"\\r\\n )\\r\\n| project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n DvcIpAddr,\\r\\n DvcDomain,\\r\\n TargetUsername,\\r\\n TargetProcessName,\\r\\n CommandLine\\r\\n| summarize Count=count() by DvcHostname\\r\\n| top 10 by Count \",\"size\":0,\"title\":\"Top 10 Devices with Suspicious Process {TimeRange}\",\"noDataMessage\":\"No Data for this Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"ProcessActivity-SuspiciousProcess2\",\"styleSettings\":{\"margin\":\"50\",\"padding\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_ASim_ProcessEvent\\r\\n| where EventType == 'ProcessCreated'\\r\\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \\\" \\\"), 1, -1))\\r\\n| where strlen(CommandLineArgs) > 0\\r\\n| mv-apply CommandLineArgs on \\r\\n (\\r\\n where CommandLineArgs contains \\\"base64\\\"\\r\\n )\\r\\n| project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n DvcIpAddr,\\r\\n DvcDomain,\\r\\n TargetUsername,\\r\\n TargetProcessName,\\r\\n CommandLine\\r\\n| summarize Count=count() by TargetProcessName\\r\\n| top 10 by Count \",\"size\":0,\"title\":\"Top 10 Processes with Suspicious CommandLine {TimeRange}\",\"noDataMessage\":\"No Data for this Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"RegistryActivity-SuspiciousProcess3\",\"styleSettings\":{\"margin\":\"50\",\"padding\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" _ASim_ProcessEvent\\r\\n | where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\\r\\n | where CommandLine has_all ('delete', 'shadow')\\r\\n | union isfuzzy=True \\r\\n (imProcess\\r\\n | where TargetProcessFilename =~ 'bcedit.exe'\\r\\n | where CommandLine has_all ('/set', 'recoveryenabled no')\\r\\n )\\r\\n | project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n DvcIpAddr,\\r\\n DvcDomain,\\r\\n TargetUsername,\\r\\n TargetProcessName,\\r\\n CommandLine,\\r\\n ParentProcessName\",\"size\":0,\"title\":\"List of Backup Deletion Acitivties using LOL Binaries {TimeRange}\",\"noDataMessage\":\"No Data for this Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"ProcessActivity-BackupDeletion1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_ASim_ProcessEvent\\r\\n| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\\r\\n| where CommandLine has_all ('delete', 'shadow')\\r\\n| union isfuzzy=True \\r\\n (imProcess\\r\\n | where TargetProcessFilename =~ 'bcedit.exe'\\r\\n | where CommandLine has_all ('/set', 'recoveryenabled no')\\r\\n )\\r\\n| project\\r\\n TimeGenerated,\\r\\n DvcHostname,\\r\\n DvcIpAddr,\\r\\n DvcDomain,\\r\\n TargetUsername,\\r\\n TargetProcessName,\\r\\n CommandLine,\\r\\n ParentProcessName\\r\\n| summarize Count=count() by DvcHostname\\r\\n| top 10 by Count \",\"size\":0,\"title\":\"Top 10 Devices with Most Backup Deletion Activity {TimeRange}\",\"noDataMessage\":\"No Data for this Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"ProcessActivity-BackupDeletion2\",\"styleSettings\":{\"margin\":\"50\",\"padding\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let fileLocations = dynamic([\\r\\n '\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\',\\r\\n '\\\\\\\\Recycle Bin\\\\\\\\'\\r\\n ]);\\r\\n_ASim_ProcessEvent\\r\\n| where EventType == 'ProcessCreated' and TargetProcessName has_any (fileLocations)\\r\\n| project\\r\\n TimeGenerated,\\r\\n TargetUsername,\\r\\n TargetProcessName,\\r\\n CommandLine,\\r\\n ParentProcessName,\\r\\n DvcHostname,\\r\\n DvcIpAddr,\\r\\n DvcDomain\",\"size\":0,\"title\":\"List of Processes Started from Unusual Locations {TimeRange}\",\"noDataMessage\":\"No Data for this Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"ProcessActivity-MaliciousProcessLocation1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let fileLocations = dynamic([\\r\\n '\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\',\\r\\n '\\\\\\\\Recycle Bin\\\\\\\\'\\r\\n ]);\\r\\n_ASim_ProcessEvent\\r\\n| where EventType == 'ProcessCreated' and TargetProcessName has_any (fileLocations)\\r\\n| project\\r\\n TimeGenerated,\\r\\n TargetUsername,\\r\\n TargetProcessName,\\r\\n CommandLine,\\r\\n ParentProcessName,\\r\\n DvcHostname,\\r\\n DvcIpAddr,\\r\\n DvcDomain\\r\\n| summarize Count=count() by DvcHostname\\r\\n| top 10 by Count\",\"size\":0,\"title\":\"Top 10 Devices where Processes Started from Unusual Locations {TimeRange}\",\"noDataMessage\":\"No Data for this Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"name\":\"ProcessActivity-MaliciousProcessLocation2\"}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"Process\"},\"name\":\"groupProcess\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" // List of startup folders to monitor\\r\\n let startupFolderList = dynamic([\\r\\n '\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\',\\r\\n '\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\',\\r\\n '/etc/init.d/',\\r\\n '/etc/rc.d/',\\r\\n '/etc/cron.d/'\\r\\n ]);\\r\\n _ASim_FileEvent\\r\\n | where EventType == 'FileCreated'\\r\\n | where FilePath has_any (startupFolderList)\\r\\n | project FileName, FilePath, DvcHostname, DvcDomain, User, DvcId, TenantId, Process, CommandLine\",\"size\":0,\"title\":\"Files Created in Startup Folders {TimeRange}\",\"noDataMessage\":\"No Data for Given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true}},\"showPin\":false,\"name\":\"FileActivity-Startup1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" // List of startup folders to monitor\\r\\n let startupFolderList = dynamic([\\r\\n '\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\',\\r\\n '\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\',\\r\\n '/etc/init.d/',\\r\\n '/etc/rc.d/',\\r\\n '/etc/cron.d/'\\r\\n ]);\\r\\n _ASim_FileEvent\\r\\n | where EventType == 'FileCreated'\\r\\n | where FilePath has_any (startupFolderList)\\r\\n | project FileName, FilePath, DvcHostname, DvcId, TenantId, Process, CommandLine\\r\\n | summarize Count=count() by DvcHostname\\r\\n | top 10 by Count\",\"size\":0,\"title\":\"Top 10 Hosts where Files Created in Startup Folders {TimeRange}\",\"noDataMessage\":\"No Data for Given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"unstackedbar\"},\"customWidth\":\"50\",\"name\":\"FileActivity-Startup2\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" // List of startup folders to monitor\\r\\n let startupFolderList = dynamic([\\r\\n '\\\\\\\\AppData\\\\\\\\Roaming\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\',\\r\\n '\\\\\\\\ProgramData\\\\\\\\Microsoft\\\\\\\\Windows\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\StartUp\\\\\\\\',\\r\\n '/etc/init.d/',\\r\\n '/etc/rc.d/',\\r\\n '/etc/cron.d/'\\r\\n ]);\\r\\n _ASim_FileEvent\\r\\n | where EventType == 'FileCreated'\\r\\n | where FilePath has_any (startupFolderList)\\r\\n | project FileName, FilePath, DvcHostname, DvcId, TenantId, Process, CommandLine, ActorUsername\\r\\n | summarize Count=count() by ActorUsername\\r\\n | top 10 by Count\",\"size\":0,\"title\":\"Top 10 Accounts to Create Files in Startup Folders {TimeRange}\",\"noDataMessage\":\"No Data for Given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"FileActivity-Startup3\",\"styleSettings\":{\"maxWidth\":\"50%\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_ASim_FileEvent\\r\\n| where EventType in ('FileCreated', 'FileModified')\\r\\n| where FilePath has '\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks'\\r\\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \\\" \\\"), 1, -1))\\r\\n | where strlen(CommandLineArgs) > 0\\r\\n | mv-apply CommandLineArgs on \\r\\n (\\r\\n where CommandLineArgs contains \\\"base64\\\"\\r\\n )\\r\\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\\r\\n\",\"size\":0,\"title\":\"List of Scheduled Task Created with Encoded Command {TimeRange}\",\"noDataMessage\":\"No Data for Given Time Range\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"FileActivity-ScheduledTask1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_ASim_FileEvent\\r\\n| where EventType in ('FileCreated', 'FileModified')\\r\\n| where FilePath has '\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks'\\r\\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \\\" \\\"), 1, -1))\\r\\n | where strlen(CommandLineArgs) > 0\\r\\n | mv-apply CommandLineArgs on \\r\\n (\\r\\n where CommandLineArgs contains \\\"base64\\\"\\r\\n )\\r\\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\\r\\n| summarize Count=count() by Process\\r\\n| top 10 by Count\",\"size\":0,\"title\":\"Top 10 Processes Creating Scheduled Task with Encoded Command {TimeRange}\",\"noDataMessage\":\"No Data for given Time Range\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"FileActivity-ScheduledTask2\",\"styleSettings\":{\"maxWidth\":\"50\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"_ASim_FileEvent\\r\\n| where EventType in ('FileCreated', 'FileModified')\\r\\n| where FilePath has '\\\\\\\\Windows\\\\\\\\System32\\\\\\\\Tasks'\\r\\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \\\" \\\"), 1, -1))\\r\\n | where strlen(CommandLineArgs) > 0\\r\\n | mv-apply CommandLineArgs on \\r\\n (\\r\\n where CommandLineArgs contains \\\"base64\\\"\\r\\n )\\r\\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\\r\\n| summarize Count=count() by User\\r\\n| top 10 by Count\",\"size\":0,\"title\":\"Top 10 Users Creating Scheduled Task with Encoded Command{TimeRange}\",\"noDataMessage\":\"No Data for given Time Range\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"50\",\"name\":\"FileActivity-ScheduledTask3\",\"styleSettings\":{\"maxWidth\":\"50\"}}]},\"conditionalVisibility\":{\"parameterName\":\"selectedTab\",\"comparison\":\"isEqualTo\",\"value\":\"File\"},\"name\":\"groupFile\"}],\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": ".description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", + "kind": "Solution", + "contentSchemaVersion": "3.0.0", + "displayName": "Malware Protection Essentials", + "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

Malware Protection Essentials is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the ASIM.

\n

Prerequisite :-

\n

Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.

\n
    \n
  1. Amazon Web Services
    2. \n
  2. Azure Firewall
    3. \n
  3. Azure Network Security Groups
    4. \n
  4. Check Point
    5. \n
  5. Cisco ASA
    6. \n
  6. Cisco Meraki Security Events
    7. \n
  7. Corelight
    8. \n
  8. Fortinet FortiGate
    9. \n
  9. Microsoft Defender for IoT
    10. \n
  10. Microsoft Defender for Cloud
    11. \n
  11. Microsoft Sysmon For Linux
    12. \n
  12. Windows Firewall
    13. \n
  13. Palo Alto PANOS
    14. \n
  14. Vectra AI Stream
    15. \n
  15. WatchGuard Firebox
    16. \n
  16. Zscaler Internet Access
    17. \n
\n

Underlying Microsoft Technologies used:

\n

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

\n
    \n
  1. Product solutions as described above
    2. \n
  2. Logic app for data summarization
    3. \n
\n

Recommendation :-

\n

It is highly recommended to use the Summarize data logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.

\n

Workbooks: 1, Analytic Rules: 6, Hunting Queries: 6, Watchlists: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", + "contentId": "[variables('_solutionId')]", + "parentId": "[variables('_solutionId')]", + "source": { + "kind": "Solution", + "name": "Malware Protection Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId1')]", + "version": "[variables('analyticRuleVersion1')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId2')]", + "version": "[variables('analyticRuleVersion2')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId3')]", + "version": "[variables('analyticRuleVersion3')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId4')]", + "version": "[variables('analyticRuleVersion4')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId5')]", + "version": "[variables('analyticRuleVersion5')]" + }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRulecontentId6')]", + "version": "[variables('analyticRuleVersion6')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId1')]", + "version": "[variables('huntingQueryVersion1')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId2')]", + "version": "[variables('huntingQueryVersion2')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId3')]", + "version": "[variables('huntingQueryVersion3')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId4')]", + "version": "[variables('huntingQueryVersion4')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId5')]", + "version": "[variables('huntingQueryVersion5')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId6')]", + "version": "[variables('huntingQueryVersion6')]" + }, + { + "kind": "Watchlist", + "contentId": "[variables('_Ransomware File Extensions')]", + "version": "3.0.0" + }, + { + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" + } + ] + }, + "firstPublishDate": "2023-09-25", + "lastPublishDate": "2023-09-25", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + } + }, + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + } + ], + "outputs": {} +} diff --git a/Solutions/Malware Protection Essentials/ReleaseNotes.md b/Solutions/Malware Protection Essentials/ReleaseNotes.md new file mode 100644 index 00000000000..3e2529de228 --- /dev/null +++ b/Solutions/Malware Protection Essentials/ReleaseNotes.md @@ -0,0 +1,3 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------| +|3.0.0 |12-21-2023 |Initial Release | \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/SolutionMetadata.json b/Solutions/Malware Protection Essentials/SolutionMetadata.json new file mode 100644 index 00000000000..fee85892448 --- /dev/null +++ b/Solutions/Malware Protection Essentials/SolutionMetadata.json @@ -0,0 +1,20 @@ +{ + "publisherId": "azuresentinel", + "offerId": "azure-sentinel-solution-malwareprotection", + "firstPublishDate": "2023-09-25", + "lastPublishDate": "2023-09-25", + "providers": [ + "Microsoft" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } +} \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.csv b/Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.csv new file mode 100644 index 00000000000..88ea9f37a9f --- /dev/null +++ b/Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.csv @@ -0,0 +1,202 @@ +FileExtension,Description,Enabled +_AiraCropEncrypted,AiraCrop Ransomware affecte file,Yes +1cbu1,Princess Locker ransomware affected file,Yes +1txt,Enigma ransomware affected file,Yes +73i87A,Xorist Ransomware affected data,Yes +a5zfn,Alma Locker ransomware affected data,Yes +aaa,TeslaCrypt ransomware encrypted data,No +abc,TeslaCrypt ransomware encrypted data,Yes +adk,Angry Duck ransomware affected file,Yes +aesir,Locky ransomware affected file,Yes +alcatraz,Alcatraz Locker ransomware affected file,Yes +angelamerkel,Angela Merkel ransomware affected file,Yes +AngleWare,HiddenTear/MafiaWare (variant) ransomware affected file,Yes +antihacker2017,Xorist (variant) Ransomware affected file,Yes +atlas,Atlas ransomware affected file,Yes +axx,AxCrypt encrypted data,Yes +BarRax,BarRax (HiddenTear variant) ransomware affected file,Yes +bin,Alpha/Alfa ransomware affected data,No +bitstak,Bitstak ransomware affected data,Yes +braincrypt,Braincrypt ransomware affected file,Yes +breaking_bad,Files1147@gmail(.)com ransomware affected data,Yes +bript,BadEncriptor ransomware affected file,Yes +btc,Jigsaw Ransomware affected data,Yes +ccc,TeslaCrypt or Cryptowall encrypted data,No +CCCRRRPPP,Unlock92 ransomware affected data,Yes +cerber,Cerber ransomware affected data,Yes +cerber2,Cerber 2 ransomware affected file,Yes +cerber3,Cerber 3 ransomware affected data,Yes +coded,Anubis ransomware affected file,Yes +comrade,Comrade ransomware affected file,Yes +conficker,Conficker ransomware affected file,Yes +coverton,Coverton ransomware affected data,Yes +covid19,Phishing / ransomware file,Yes +covid-19,Phishing / ransomware file,Yes +crab,GandCrab ransomware affected data,Yes +crinf,DecryptorMax or CryptInfinite ransomware affected data,Yes +crjoker,CryptoJoker ransomware affected data,Yes +crptrgr,CryptoRoger ransomware affected data,Yes +cry,CryLocker ransomware affected data,Yes +cryeye,DoubleLocker ransomware affected data,Yes +cryp1,CryptXXX ransomware affected data,Yes +crypt,Scatter ransomware affected data,Yes +crypte,Jigsaw (variant) ransomware affected file,Yes +crypted,Nemucod ransomware affected file,Yes +cryptolocker,CryptoLocker encrypted file,Yes +cryptowall,Encrypted file by Cryptowall ransomware,Yes +crypz,CryptXXX ransomware affected data,Yes +czvxce,Coverton ransomware affected file,Yes +d4nk,PyL33T ransomware affected file,Yes +dale,Chip ransomware affected file,Yes +damage,Damage ransomware affected file,Yes +darkness,Rakhni ransomware affected data,Yes +dCrypt,DummyLocker ransomware affected file,Yes +deadbolt,Deadbolt ransomware affected file,Yes +decrypt2017,Globe 3 ransomware affected file,Yes +derp,Derp ransomware renamed file,Yes +Dexter,Troldesh (variant) ransomware affected file,Yes +dharma,CrySiS ransomware affected file,Yes +dll,FSociety ransomware affected file,No +dxxd,DXXD ransomware affected file,Yes +ecc,Cryptolocker or TeslaCrypt virus encrypted file,Yes +edgel,EdgeLocker ransomware affected file,Yes +enc,TorrentLocker ransomware affected file,No +enc,Cryptorium ransomware affected file,No +enciphered,Malware (ransomware) encoded data,Yes +EnCiPhErEd,Xorist Ransomware affected data,Yes +encr,FileLocker ransomware affected file,Yes +encrypt,Alpha ransomware affected data,Yes +encrypted,Various ransomware affected file,Yes +encrypted,Donald Trump ransomware affected file,Yes +encrypted,KeRanger OS X ransomware affected file,Yes +enigma,Coverton ransomware affected data,Yes +evillock,Evil-JS (variant) ransomware affected file,Yes +exotic,Exotic ransomware affected file,Yes +exx,Alpha Crypt encrypted data,Yes +ezz,Alpha Crypt virus encrypted data,Yes +fantom,Fantom ransomware affected data,Yes +file0locked,Evil ransomware affected file,Yes +fucked,Manifestus ransomware affected file,Yes +fun,Jigsaw Ransomware affected data,Yes +fun,Jigsaw (variant) ransomware affected file,Yes +gefickt,Jigsaw (variant) ransomware affected file,Yes +globe,Globe ransomware affected file,Yes +good,Scatter ransomware affected data,Yes +grt,Karmen HiddenTear (variant) ransomware affected file,Yes +ha3,El-Polocker affected file,Yes +helpmeencedfiles,Samas/SamSam ransomware affected file,Yes +herbst,Herbst ransomware affacted data,Yes +hnumkhotep,Globe 3 ransomware affected file,Yes +hush,Jigsaw ransomware affected file,Yes +ifuckedyou,SerbRansom ransomware affected file,Yes +info,PizzaCrypts Ransomware affected data,Yes +kernel_complete,KeRanger OS X ransomware data,Yes +kernel_pid,KeRanger OS X ransomware data,Yes +kernel_time,KeRanger OS X ransomware,Yes +keybtc@inbox_com,KeyBTC ransomware affected data,Yes +kimcilware,KimcilWare ransomware affected data,Yes +kkk,Jigsaw Ransomware affected data,Yes +kostya,Kostya ransomware affected file,Yes +krab,GandCrab v4 ransomware affected data,Yes +kraken,Rakhni ransomware affected file,Yes +kratos,KratosCrypt ransomware affected data,Yes +kyra,Globe ransomware affected file,Yes +lcked,Jigsaw (variant) ransomware affected file,Yes +LeChiffre,LeChiffre ransomware affected data,Yes +legion,Legion ransomware affected data,Yes +lesli,CryptoMix ransomware affected file,Yes +lock93,Lock93 ransomware affected file,Yes +locked,Various ransomware affected data,Yes +locklock,LockLock ransomware affected data,Yes +locky,Locky ransomware affected data,Yes +lol!,GPCode ransomware affected data,Yes +loli,LOLI RanSomeWare ransomware affected file,Yes +lovewindows,Globe (variant) ransomware affected file,Yes +madebyadam,Roga ransomware affected file,Yes +magic,Magic ransomware affected data,Yes +maya,HiddenTear (variant) ransomware affected file,Yes +MERRY,Merry X-Mas ransomware affected file,Yes +micro,TeslaCrypt 3.0 ransomware encrypted data,Yes +mole,CryptoMix (variant) ransomware affected data,Yes +mp3,TeslaCrypt 3.0 ransomware encrypted data,No +MRCR1,Merry X-Mas ransomware affected file,Yes +noproblemwedecfiles​,Samas/SamSam ransomware affected file,Yes +nuclear55,Nuke ransomware affected file,Yes +odcodc,ODCODC ransomware affected file,Yes +odin,Locky ransomware affected file,Yes +onion,Dharma ransomware affected data,Yes +oops,Marlboro ransomware affected file,Yes +osiris,Locky (variant) ransomware affected data,Yes +p5tkjw,Xorist Ransomware affected data,Yes +padcrypt,PadCrypt ransomware affected data,Yes +paym,Jigsaw Ransomware affected data,Yes +paymrss,Jigsaw Ransomware affected file,Yes +payms,Jigsaw Ransomware affected file,Yes +paymst,Jigsaw Ransomware affected file,Yes +paymts,Jigsaw Ransomware affected file,Yes +payrms,Jigsaw Ransomware affected file,Yes +pays,Jigsaw Ransomware affected data,Yes +pdcr,PadCrypt Ransomware script,Yes +pec,PEC 2017 ransomware affected file,Yes +PEGS1,Merry X-Mas ransomware affected file,Yes +perl,Bart ransomware affected file,Yes +PoAr2w,Xorist Ransomware affected file,Yes +potato,Potato ransomware affected file,Yes +powerfulldecrypt,Samas/SamSam ransomware affected file,Yes +pubg,PUBG ransomware affected data,Yes +purge,Globe ransomware affected file,Yes +pzdc,Scatter ransomware affected data,Yes +R16m01d05,Ransomware affected data,Yes +r5a,7ev3n ransomware affected file,Yes +raid10,Globe [variant] ransomware affected file,Yes +RARE1,Merry X-Mas ransomware affected file,Yes +razy,Razy ransomware affected data,Yes +rdm,Radamant ransomware affected file,Yes +realfs0ciety@sigaint.org.fs0ciety,Fsociety ransomware affected file,Yes +reco,STOP/DJVU ransomware file,Yes +rekt,HiddenTear (variant) ransomware affected file,Yes +rekt,RektLocker ransomware affected data,Yes +remk,STOP Ransomware variant,Yes +rip,KillLocker ransomware affected file,Yes +RMCM1,Merry X-Mas ransomware affected file,Yes +rmd,Zeta ransomware affected file,Yes +rnsmwr,Gremit ransomware affected file,Yes +rokku,Rokku ransomware affected data,Yes +rrk,Radamant v2 ransomware affected file,Yes +ruby,Ruby ransomware affected file,Yes +sage,Sage ransomware affected data,Yes +SecureCrypted,Apocalypse ransomware affected file,Yes +serp,Serpent (variant) ransomware affected file,Yes +serpent,Serpent ransomware affected file,Yes +sexy,PayDay ransomware affected files,Yes +shit,Locky ransomware affected file,Yes +spora,Spora ransomware affected file,Yes +stn,Satan ransomware affected file,Yes +surprise,Surprise ransomware affected data,Yes +szf,SZFLocker ransomware affected data,Yes +theworldisyours,Samas/SamSam ransomware affected file,Yes +thor,Locky ransomware affected file,Yes +ttt,TeslaCrypt 3.0 ransomware encrypted data,Yes +unavailable,Al-Namrood ransomware affected file,Yes +vbransom,VBRansom 7 ransomware affected file,Yes +venusf,Venus Locker ransomware affected file,Yes +VforVendetta,Samsam (variant) ransomware affected file,Yes +vindows,Vindows Locker ransomware affected file,Yes +vvv,TeslaCrypt 3.0 ransomware encrypted data,Yes +vxlock,vxLock ransomware affected file,Yes +wallet,Globe 3 (variant) ransomware affected file,Yes +wcry,WannaCry ransomware affected file,Yes +wflx,WildFire ransomware affected file,Yes +Whereisyourfiles,Samas/SamSam ransomware affected file,Yes +windows10,Shade ransomware affected data,Yes +wncry,Wana Decrypt0r 2.0 ransomware affected data,Yes +xxx,TeslaCrypt 3.0 ransomware encrypted file,Yes +xxx,help_dcfile ransomware affected file,Yes +xyz,TeslaCrypt ransomware encrypted data,No +ytbl,Troldesh (variant) ransomware affected file,Yes +zcrypt,ZCRYPT ransomware affected data,Yes +zepto,Locky ransomware affected data,Yes +zorro,Zorro ransomware affected file,Yes +zyklon,ZYKLON ransomware affected data,Yes +zzz,TeslaCrypt ransomware encrypted data,Yes +zzzzz,Locky ransomware affected file,Yes diff --git a/Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.json b/Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.json new file mode 100644 index 00000000000..889c2e54019 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Watchlists/RansomwareFileExtensions.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "WorkspaceName": { + "type": "string", + "metadata": { + "description": "Log Analytics workspace name where Sentinel is setup." + } + } + }, + "resources": [ + { + "name": "[concat(parameters('WorkspaceName'), '/Microsoft.SecurityInsights/RansomwareFileExtensions')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "Ransomware File Extensions", + "source": "RansomwareFileExtensions.csv", + "description": "This watchlist provides a catalog of known ransomware-related file extensions.", + "provider": "Microsoft", + "isDeleted": false, + "watchlistAlias": "RansomwareFileExtensions", + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "FileExtension", + "rawContent": "FileExtension,Description,Enabled\r\n_AiraCropEncrypted,AiraCrop Ransomware affecte file,Yes\r\n1cbu1,Princess Locker ransomware affected file,Yes\r\n1txt,Enigma ransomware affected file,Yes\r\n73i87A,Xorist Ransomware affected data,Yes\r\na5zfn,Alma Locker ransomware affected data,Yes\r\naaa,TeslaCrypt ransomware encrypted data,No\r\nabc,TeslaCrypt ransomware encrypted data,Yes\r\nadk,Angry Duck ransomware affected file,Yes\r\naesir,Locky ransomware affected file,Yes\r\nalcatraz,Alcatraz Locker ransomware affected file,Yes\r\nangelamerkel,Angela Merkel ransomware affected file,Yes\r\nAngleWare,HiddenTear/MafiaWare (variant) ransomware affected file,Yes\r\nantihacker2017,Xorist (variant) Ransomware affected file,Yes\r\natlas,Atlas ransomware affected file,Yes\r\naxx,AxCrypt encrypted data,Yes\r\nBarRax,BarRax (HiddenTear variant) ransomware affected file,Yes\r\nbin,Alpha/Alfa ransomware affected data,No\r\nbitstak,Bitstak ransomware affected data,Yes\r\nbraincrypt,Braincrypt ransomware affected file,Yes\r\nbreaking_bad,Files1147@gmail(.)com ransomware affected data,Yes\r\nbript,BadEncriptor ransomware affected file,Yes\r\nbtc,Jigsaw Ransomware affected data,Yes\r\nccc,TeslaCrypt or Cryptowall encrypted data,No\r\nCCCRRRPPP,Unlock92 ransomware affected data,Yes\r\ncerber,Cerber ransomware affected data,Yes\r\ncerber2,Cerber 2 ransomware affected file,Yes\r\ncerber3,Cerber 3 ransomware affected data,Yes\r\ncoded,Anubis ransomware affected file,Yes\r\ncomrade,Comrade ransomware affected file,Yes\r\nconficker,Conficker ransomware affected file,Yes\r\ncoverton,Coverton ransomware affected data,Yes\r\ncovid19,Phishing / ransomware file,Yes\r\ncovid-19,Phishing / ransomware file,Yes\r\ncrab,GandCrab ransomware affected data,Yes\r\ncrinf,DecryptorMax or CryptInfinite ransomware affected data,Yes\r\ncrjoker,CryptoJoker ransomware affected data,Yes\r\ncrptrgr,CryptoRoger ransomware affected data,Yes\r\ncry,CryLocker ransomware affected data,Yes\r\ncryeye,DoubleLocker ransomware affected data,Yes\r\ncryp1,CryptXXX ransomware affected data,Yes\r\ncrypt,Scatter ransomware affected data,Yes\r\ncrypte,Jigsaw (variant) ransomware affected file,Yes\r\ncrypted,Nemucod ransomware affected file,Yes\r\ncryptolocker,CryptoLocker encrypted file,Yes\r\ncryptowall,Encrypted file by Cryptowall ransomware,Yes\r\ncrypz,CryptXXX ransomware affected data,Yes\r\nczvxce,Coverton ransomware affected file,Yes\r\nd4nk,PyL33T ransomware affected file,Yes\r\ndale,Chip ransomware affected file,Yes\r\ndamage,Damage ransomware affected file,Yes\r\ndarkness,Rakhni ransomware affected data,Yes\r\ndCrypt,DummyLocker ransomware affected file,Yes\r\ndeadbolt,Deadbolt ransomware affected file,Yes\r\ndecrypt2017,Globe 3 ransomware affected file,Yes\r\nderp,Derp ransomware renamed file,Yes\r\nDexter,Troldesh (variant) ransomware affected file,Yes\r\ndharma,CrySiS ransomware affected file,Yes\r\ndll,FSociety ransomware affected file,No\r\ndxxd,DXXD ransomware affected file,Yes\r\necc,Cryptolocker or TeslaCrypt virus encrypted file,Yes\r\nedgel,EdgeLocker ransomware affected file,Yes\r\nenc,TorrentLocker ransomware affected file,No\r\nenc,Cryptorium ransomware affected file,No\r\nenciphered,Malware (ransomware) encoded data,Yes\r\nEnCiPhErEd,Xorist Ransomware affected data,Yes\r\nencr,FileLocker ransomware affected file,Yes\r\nencrypt,Alpha ransomware affected data,Yes\r\nencrypted,Various ransomware affected file,Yes\r\nencrypted,Donald Trump ransomware affected file,Yes\r\nencrypted,KeRanger OS X ransomware affected file,Yes\r\nenigma,Coverton ransomware affected data,Yes\r\nevillock,Evil-JS (variant) ransomware affected file,Yes\r\nexotic,Exotic ransomware affected file,Yes\r\nexx,Alpha Crypt encrypted data,Yes\r\nezz,Alpha Crypt virus encrypted data,Yes\r\nfantom,Fantom ransomware affected data,Yes\r\nfile0locked,Evil ransomware affected file,Yes\r\nfucked,Manifestus ransomware affected file,Yes\r\nfun,Jigsaw Ransomware affected data,Yes\r\nfun,Jigsaw (variant) ransomware affected file,Yes\r\ngefickt,Jigsaw (variant) ransomware affected file,Yes\r\nglobe,Globe ransomware affected file,Yes\r\ngood,Scatter ransomware affected data,Yes\r\ngrt,Karmen HiddenTear (variant) ransomware affected file,Yes\r\nha3,El-Polocker affected file,Yes\r\nhelpmeencedfiles,Samas/SamSam ransomware affected file,Yes\r\nherbst,Herbst ransomware affacted data,Yes\r\nhnumkhotep,Globe 3 ransomware affected file,Yes\r\nhush,Jigsaw ransomware affected file,Yes\r\nifuckedyou,SerbRansom ransomware affected file,Yes\r\ninfo,PizzaCrypts Ransomware affected data,Yes\r\nkernel_complete,KeRanger OS X ransomware data,Yes\r\nkernel_pid,KeRanger OS X ransomware data,Yes\r\nkernel_time,KeRanger OS X ransomware,Yes\r\nkeybtc@inbox_com,KeyBTC ransomware affected data,Yes\r\nkimcilware,KimcilWare ransomware affected data,Yes\r\nkkk,Jigsaw Ransomware affected data,Yes\r\nkostya,Kostya ransomware affected file,Yes\r\nkrab,GandCrab v4 ransomware affected data,Yes\r\nkraken,Rakhni ransomware affected file,Yes\r\nkratos,KratosCrypt ransomware affected data,Yes\r\nkyra,Globe ransomware affected file,Yes\r\nlcked,Jigsaw (variant) ransomware affected file,Yes\r\nLeChiffre,LeChiffre ransomware affected data,Yes\r\nlegion,Legion ransomware affected data,Yes\r\nlesli,CryptoMix ransomware affected file,Yes\r\nlock93,Lock93 ransomware affected file,Yes\r\nlocked,Various ransomware affected data,Yes\r\nlocklock,LockLock ransomware affected data,Yes\r\nlocky,Locky ransomware affected data,Yes\r\nlol!,GPCode ransomware affected data,Yes\r\nloli,LOLI RanSomeWare ransomware affected file,Yes\r\nlovewindows,Globe (variant) ransomware affected file,Yes\r\nmadebyadam,Roga ransomware affected file,Yes\r\nmagic,Magic ransomware affected data,Yes\r\nmaya,HiddenTear (variant) ransomware affected file,Yes\r\nMERRY,Merry X-Mas ransomware affected file,Yes\r\nmicro,TeslaCrypt 3.0 ransomware encrypted data,Yes\r\nmole,CryptoMix (variant) ransomware affected data,Yes\r\nmp3,TeslaCrypt 3.0 ransomware encrypted data,No\r\nMRCR1,Merry X-Mas ransomware affected file,Yes\r\nnoproblemwedecfiles​,Samas/SamSam ransomware affected file,Yes\r\nnuclear55,Nuke ransomware affected file,Yes\r\nodcodc,ODCODC ransomware affected file,Yes\r\nodin,Locky ransomware affected file,Yes\r\nonion,Dharma ransomware affected data,Yes\r\noops,Marlboro ransomware affected file,Yes\r\nosiris,Locky (variant) ransomware affected data,Yes\r\np5tkjw,Xorist Ransomware affected data,Yes\r\npadcrypt,PadCrypt ransomware affected data,Yes\r\npaym,Jigsaw Ransomware affected data,Yes\r\npaymrss,Jigsaw Ransomware affected file,Yes\r\npayms,Jigsaw Ransomware affected file,Yes\r\npaymst,Jigsaw Ransomware affected file,Yes\r\npaymts,Jigsaw Ransomware affected file,Yes\r\npayrms,Jigsaw Ransomware affected file,Yes\r\npays,Jigsaw Ransomware affected data,Yes\r\npdcr,PadCrypt Ransomware script,Yes\r\npec,PEC 2017 ransomware affected file,Yes\r\nPEGS1,Merry X-Mas ransomware affected file,Yes\r\nperl,Bart ransomware affected file,Yes\r\nPoAr2w,Xorist Ransomware affected file,Yes\r\npotato,Potato ransomware affected file,Yes\r\npowerfulldecrypt,Samas/SamSam ransomware affected file,Yes\r\npubg,PUBG ransomware affected data,Yes\r\npurge,Globe ransomware affected file,Yes\r\npzdc,Scatter ransomware affected data,Yes\r\nR16m01d05,Ransomware affected data,Yes\r\nr5a,7ev3n ransomware affected file,Yes\r\nraid10,Globe [variant] ransomware affected file,Yes\r\nRARE1,Merry X-Mas ransomware affected file,Yes\r\nrazy,Razy ransomware affected data,Yes\r\nrdm,Radamant ransomware affected file,Yes\r\nrealfs0ciety@sigaint.org.fs0ciety,Fsociety ransomware affected file,Yes\r\nreco,STOP/DJVU ransomware file,Yes\r\nrekt,HiddenTear (variant) ransomware affected file,Yes\r\nrekt,RektLocker ransomware affected data,Yes\r\nremk,STOP Ransomware variant,Yes\r\nrip,KillLocker ransomware affected file,Yes\r\nRMCM1,Merry X-Mas ransomware affected file,Yes\r\nrmd,Zeta ransomware affected file,Yes\r\nrnsmwr,Gremit ransomware affected file,Yes\r\nrokku,Rokku ransomware affected data,Yes\r\nrrk,Radamant v2 ransomware affected file,Yes\r\nruby,Ruby ransomware affected file,Yes\r\nsage,Sage ransomware affected data,Yes\r\nSecureCrypted,Apocalypse ransomware affected file,Yes\r\nserp,Serpent (variant) ransomware affected file,Yes\r\nserpent,Serpent ransomware affected file,Yes\r\nsexy,PayDay ransomware affected files,Yes\r\nshit,Locky ransomware affected file,Yes\r\nspora,Spora ransomware affected file,Yes\r\nstn,Satan ransomware affected file,Yes\r\nsurprise,Surprise ransomware affected data,Yes\r\nszf,SZFLocker ransomware affected data,Yes\r\ntheworldisyours,Samas/SamSam ransomware affected file,Yes\r\nthor,Locky ransomware affected file,Yes\r\nttt,TeslaCrypt 3.0 ransomware encrypted data,Yes\r\nunavailable,Al-Namrood ransomware affected file,Yes\r\nvbransom,VBRansom 7 ransomware affected file,Yes\r\nvenusf,Venus Locker ransomware affected file,Yes\r\nVforVendetta,Samsam (variant) ransomware affected file,Yes\r\nvindows,Vindows Locker ransomware affected file,Yes\r\nvvv,TeslaCrypt 3.0 ransomware encrypted data,Yes\r\nvxlock,vxLock ransomware affected file,Yes\r\nwallet,Globe 3 (variant) ransomware affected file,Yes\r\nwcry,WannaCry ransomware affected file,Yes\r\nwflx,WildFire ransomware affected file,Yes\r\nWhereisyourfiles,Samas/SamSam ransomware affected file,Yes\r\nwindows10,Shade ransomware affected data,Yes\r\nwncry,Wana Decrypt0r 2.0 ransomware affected data,Yes\r\nxxx,TeslaCrypt 3.0 ransomware encrypted file,Yes\r\nxxx,help_dcfile ransomware affected file,Yes\r\nxyz,TeslaCrypt ransomware encrypted data,No\r\nytbl,Troldesh (variant) ransomware affected file,Yes\r\nzcrypt,ZCRYPT ransomware affected data,Yes\r\nzepto,Locky ransomware affected data,Yes\r\nzorro,Zorro ransomware affected file,Yes\r\nzyklon,ZYKLON ransomware affected data,Yes\r\nzzz,TeslaCrypt ransomware encrypted data,Yes\r\nzzzzz,Locky ransomware affected file,Yes\r\n" + }, + "apiVersion": "2022-11-01" + } + ] +} \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Workbooks/MalwareProtectionEssentialsWorkbook.json b/Solutions/Malware Protection Essentials/Workbooks/MalwareProtectionEssentialsWorkbook.json new file mode 100644 index 00000000000..90151862af7 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Workbooks/MalwareProtectionEssentialsWorkbook.json @@ -0,0 +1,540 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Malware Protection Essentials (Preview)\n---\n\nThis wokbook provide details about Suspicious Malware Activities from File, Process and Registry events generated by EDR (Endpoint Detection and Response) solutions.\n\n\n" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "c470616d-5af0-483a-a595-28a684d878a1", + "version": "KqlParameterItem/1.0", + "name": "TimeRange", + "type": 4, + "value": { + "durationMs": 86400000 + }, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + } + }, + { + "id": "f0450560-ef16-4aa9-a3ad-7485dd909587", + "version": "KqlParameterItem/1.0", + "name": "Help", + "type": 10, + "isRequired": true, + "jsonData": "[{ \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true }]", + "label": "Show Help" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 1, + "content": { + "json": "\r\n|File|Process|Registry|\r\n|------|-------|----|\r\n|Files Created in Startup Folders|List of Suspicious Processes Created with Base64 CommandLine Argumnet|Startup Registry Creation/Moification|\r\n|Top 10 Hosts where Files Created in Startup Folders|Top 10 Devices with Suspicious Process|Top 10 Devices with Most Startup Registry Modification|\r\n|Top 10 Accounts to Create Files in Startup Folders|Top 10 Processes with Suspicious CommandLine|Top 10 Users with Most Startup Registry Modification|\r\n|List of Scheduled Task Created with Encoded Command|List of Backup Deletion Acitivties using LOL Binaries|Windows Update Disabled Devices|\r\n|Top 10 Processes Creating Scheduled Task with Encoded Command|Top 10 Devices with Most Backup Deletion Activity|Windows Firewall Allow Rule Addition Events|\r\n|Top 10 Users Creating Scheduled Task with Encoded Command|List of Processes Started from Unusual Locations|Top 10 Devices with Most Windows Firewall Allow Rule Addition|\r\n||Top 10 Devices where Processes Started from Unusual Locations|Top 10 Users to add Windows Firewall Allow Rule|" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 8" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "3d902e84-3e5b-4631-85d1-c229ec2abf75", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "File Activity", + "subTarget": "File", + "style": "link" + }, + { + "id": "bbc20288-b398-4f63-b7a9-e3830213bb34", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Process Activity", + "subTarget": "Process", + "style": "link" + }, + { + "id": "edab4a44-8ca3-4ba1-bede-4186f4376d28", + "cellValue": "selectedTab", + "linkTarget": "parameter", + "linkLabel": "Registry Activity", + "subTarget": "Registry", + "style": "link" + } + ] + }, + "name": "links - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let startupRegistryList = dynamic([\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData", + "size": 0, + "title": "Startup Registry Creation/Moification {TimeRange}", + "noDataMessage": "No Data for given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "filter": true + } + }, + "name": "RegistryActivity-Startup1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let startupRegistryList = dynamic([\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData\r\n| summarize Count=count() by DvcHostname\r\n| take 10", + "size": 0, + "title": "Top 10 Devices with Most Startup Registry Modification {TimeRange}", + "noDataMessage": "No Data for given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "RegistryActivity-Startup2", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let startupRegistryList = dynamic([\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServicesOnce',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunServices',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\Explorer\\\\Run',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Userinit',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Winlogon\\\\Shell',\r\n 'HKEY_CURRENT_USER\\\\Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows',\r\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Microsoft\\\\Windows Advanced Threat Protection'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') and RegistryKey has_any (startupRegistryList)\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData\r\n| summarize Count=count() by ActorUsername\r\n| take 10", + "size": 0, + "title": "Top 10 Users with Most Startup Registry Modification {TimeRange}", + "noDataMessage": "No Data for given TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "RegistryActivity-Startup3", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " let windowsUpdateRegistryList = dynamic([\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate',\r\n 'HKEY_LOCAL_MACHINE\\\\Software\\\\Policies\\\\Microsoft\\\\Windows\\\\WindowsUpdate\\\\AU'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \r\n | where RegistryKey has_any (windowsUpdateRegistryList) \r\n | where RegistryValue has_any ('AUOptions', 'NoAutoUpdate') and RegistryValueData == '1'\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData", + "size": 0, + "title": "Windows Update Disabled Devices {TimeRange}", + "noDataMessage": "No Data for given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "RegistryActivity-WindowsUpdate1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " let firewallRegistryList = dynamic([\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\r\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \r\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData", + "size": 0, + "title": "Windows Firewall Allow Rule Addition Events {TimeRange}", + "noDataMessage": "No Data for given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "RegistryActivity-WindowsFirewall1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " let firewallRegistryList = dynamic([\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\r\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \r\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData\r\n| summarize Count=count() by DvcHostname\r\n| take 10", + "size": 0, + "title": "Top 10 Devices with Most Windows Firewall Allow Rule Addition {TimeRange}", + "noDataMessage": "No Data for given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "RegistryActivity-WindowsFirewall2", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " let firewallRegistryList = dynamic([\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Static\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Parameters\\\\FirewallPolicy\\\\RestrictedServices\\\\Configurable\\\\System',\r\n 'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\SharedAccess\\\\Defaults\\\\FirewallPolicy\\\\FirewallRules',\r\n 'HKEY_LOCAL_MACHINE\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\WindowsFirewall'\r\n ]);\r\n _ASim_RegistryEvent\r\n | where EventType in ('RegistryValueSet', 'RegistryKeyCreated') \r\n | where RegistryKey has_any (firewallRegistryList) and RegistryValueData has_all ('Action=Allow', 'Active=TRUE')\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n ActorUsername,\r\n ActorUsernameType,\r\n ActingProcessId,\r\n ActingProcessName,\r\n ActingProcessCommandLine,\r\n RegistryKey,\r\n RegistryValue,\r\n RegistryValueType,\r\n RegistryValueData\r\n| summarize Count=count() by ActorUsername\r\n| take 10", + "size": 0, + "title": "Top 10 Users to add Windows Firewall Allow Rule {TimeRange}", + "noDataMessage": "No Data for given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "RegistryActivity-WindowsFirewall2 - Copy", + "styleSettings": { + "maxWidth": "50%" + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Registry" + }, + "name": "groupRegistry" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_ASim_ProcessEvent\r\n | where EventType == 'ProcessCreated'\r\n | extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n | where strlen(CommandLineArgs) > 0\r\n | mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine", + "size": 0, + "title": "List of Suspicious Processes Created with Base64 CommandLine Argumnet {TimeRange}", + "noDataMessage": "No Data for this Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "ProcessActivity-SuspiciousProcess1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_ASim_ProcessEvent\r\n| where EventType == 'ProcessCreated'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n| where strlen(CommandLineArgs) > 0\r\n| mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine\r\n| summarize Count=count() by DvcHostname\r\n| top 10 by Count ", + "size": 0, + "title": "Top 10 Devices with Suspicious Process {TimeRange}", + "noDataMessage": "No Data for this Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "ProcessActivity-SuspiciousProcess2", + "styleSettings": { + "margin": "50", + "padding": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_ASim_ProcessEvent\r\n| where EventType == 'ProcessCreated'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n| where strlen(CommandLineArgs) > 0\r\n| mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine\r\n| summarize Count=count() by TargetProcessName\r\n| top 10 by Count ", + "size": 0, + "title": "Top 10 Processes with Suspicious CommandLine {TimeRange}", + "noDataMessage": "No Data for this Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "RegistryActivity-SuspiciousProcess3", + "styleSettings": { + "margin": "50", + "padding": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " _ASim_ProcessEvent\r\n | where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\r\n | where CommandLine has_all ('delete', 'shadow')\r\n | union isfuzzy=True \r\n (imProcess\r\n | where TargetProcessFilename =~ 'bcedit.exe'\r\n | where CommandLine has_all ('/set', 'recoveryenabled no')\r\n )\r\n | project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine,\r\n ParentProcessName", + "size": 0, + "title": "List of Backup Deletion Acitivties using LOL Binaries {TimeRange}", + "noDataMessage": "No Data for this Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "ProcessActivity-BackupDeletion1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_ASim_ProcessEvent\r\n| where TargetProcessFilename has_any ('vssadmin.exe', 'wbadmin.exe', 'wmic.exe')\r\n| where CommandLine has_all ('delete', 'shadow')\r\n| union isfuzzy=True \r\n (imProcess\r\n | where TargetProcessFilename =~ 'bcedit.exe'\r\n | where CommandLine has_all ('/set', 'recoveryenabled no')\r\n )\r\n| project\r\n TimeGenerated,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine,\r\n ParentProcessName\r\n| summarize Count=count() by DvcHostname\r\n| top 10 by Count ", + "size": 0, + "title": "Top 10 Devices with Most Backup Deletion Activity {TimeRange}", + "noDataMessage": "No Data for this Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "name": "ProcessActivity-BackupDeletion2", + "styleSettings": { + "margin": "50", + "padding": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let fileLocations = dynamic([\r\n '\\\\AppData\\\\Local\\\\Temp\\\\',\r\n '\\\\Recycle Bin\\\\'\r\n ]);\r\n_ASim_ProcessEvent\r\n| where EventType == 'ProcessCreated' and TargetProcessName has_any (fileLocations)\r\n| project\r\n TimeGenerated,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine,\r\n ParentProcessName,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain", + "size": 0, + "title": "List of Processes Started from Unusual Locations {TimeRange}", + "noDataMessage": "No Data for this Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "filter": true + } + }, + "name": "ProcessActivity-MaliciousProcessLocation1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let fileLocations = dynamic([\r\n '\\\\AppData\\\\Local\\\\Temp\\\\',\r\n '\\\\Recycle Bin\\\\'\r\n ]);\r\n_ASim_ProcessEvent\r\n| where EventType == 'ProcessCreated' and TargetProcessName has_any (fileLocations)\r\n| project\r\n TimeGenerated,\r\n TargetUsername,\r\n TargetProcessName,\r\n CommandLine,\r\n ParentProcessName,\r\n DvcHostname,\r\n DvcIpAddr,\r\n DvcDomain\r\n| summarize Count=count() by DvcHostname\r\n| top 10 by Count", + "size": 0, + "title": "Top 10 Devices where Processes Started from Unusual Locations {TimeRange}", + "noDataMessage": "No Data for this Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "name": "ProcessActivity-MaliciousProcessLocation2" + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "Process" + }, + "name": "groupProcess" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " // List of startup folders to monitor\r\n let startupFolderList = dynamic([\r\n '\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\',\r\n '\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\',\r\n '/etc/init.d/',\r\n '/etc/rc.d/',\r\n '/etc/cron.d/'\r\n ]);\r\n _ASim_FileEvent\r\n | where EventType == 'FileCreated'\r\n | where FilePath has_any (startupFolderList)\r\n | project FileName, FilePath, DvcHostname, DvcDomain, User, DvcId, TenantId, Process, CommandLine", + "size": 0, + "title": "Files Created in Startup Folders {TimeRange}", + "noDataMessage": "No Data for Given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "filter": true + } + }, + "showPin": false, + "name": "FileActivity-Startup1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " // List of startup folders to monitor\r\n let startupFolderList = dynamic([\r\n '\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\',\r\n '\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\',\r\n '/etc/init.d/',\r\n '/etc/rc.d/',\r\n '/etc/cron.d/'\r\n ]);\r\n _ASim_FileEvent\r\n | where EventType == 'FileCreated'\r\n | where FilePath has_any (startupFolderList)\r\n | project FileName, FilePath, DvcHostname, DvcId, TenantId, Process, CommandLine\r\n | summarize Count=count() by DvcHostname\r\n | top 10 by Count", + "size": 0, + "title": "Top 10 Hosts where Files Created in Startup Folders {TimeRange}", + "noDataMessage": "No Data for Given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "unstackedbar" + }, + "customWidth": "50", + "name": "FileActivity-Startup2", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": " // List of startup folders to monitor\r\n let startupFolderList = dynamic([\r\n '\\\\AppData\\\\Roaming\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\',\r\n '\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\StartUp\\\\',\r\n '/etc/init.d/',\r\n '/etc/rc.d/',\r\n '/etc/cron.d/'\r\n ]);\r\n _ASim_FileEvent\r\n | where EventType == 'FileCreated'\r\n | where FilePath has_any (startupFolderList)\r\n | project FileName, FilePath, DvcHostname, DvcId, TenantId, Process, CommandLine, ActorUsername\r\n | summarize Count=count() by ActorUsername\r\n | top 10 by Count", + "size": 0, + "title": "Top 10 Accounts to Create Files in Startup Folders {TimeRange}", + "noDataMessage": "No Data for Given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "FileActivity-Startup3", + "styleSettings": { + "maxWidth": "50%" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_ASim_FileEvent\r\n| where EventType in ('FileCreated', 'FileModified')\r\n| where FilePath has '\\\\Windows\\\\System32\\\\Tasks'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n | where strlen(CommandLineArgs) > 0\r\n | mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\r\n", + "size": 0, + "title": "List of Scheduled Task Created with Encoded Command {TimeRange}", + "noDataMessage": "No Data for Given Time Range", + "timeContextFromParameter": "TimeRange", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "FileActivity-ScheduledTask1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_ASim_FileEvent\r\n| where EventType in ('FileCreated', 'FileModified')\r\n| where FilePath has '\\\\Windows\\\\System32\\\\Tasks'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n | where strlen(CommandLineArgs) > 0\r\n | mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\r\n| summarize Count=count() by Process\r\n| top 10 by Count", + "size": 0, + "title": "Top 10 Processes Creating Scheduled Task with Encoded Command {TimeRange}", + "noDataMessage": "No Data for given Time Range", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "FileActivity-ScheduledTask2", + "styleSettings": { + "maxWidth": "50" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "_ASim_FileEvent\r\n| where EventType in ('FileCreated', 'FileModified')\r\n| where FilePath has '\\\\Windows\\\\System32\\\\Tasks'\r\n| extend CommandLineArgs = todynamic(array_slice(split(CommandLine, \" \"), 1, -1))\r\n | where strlen(CommandLineArgs) > 0\r\n | mv-apply CommandLineArgs on \r\n (\r\n where CommandLineArgs contains \"base64\"\r\n )\r\n| project TimeGenerated, DvcHostname, DvcDomain, User, Process, CommandLine, FileName, FilePath\r\n| summarize Count=count() by User\r\n| top 10 by Count", + "size": 0, + "title": "Top 10 Users Creating Scheduled Task with Encoded Command{TimeRange}", + "noDataMessage": "No Data for given Time Range", + "timeContext": { + "durationMs": 86400000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "50", + "name": "FileActivity-ScheduledTask3", + "styleSettings": { + "maxWidth": "50" + } + } + ] + }, + "conditionalVisibility": { + "parameterName": "selectedTab", + "comparison": "isEqualTo", + "value": "File" + }, + "name": "groupFile" + } + ], + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file From 38f5988f3f963f50b38aa899ee3be92ef757f9e4 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Fri, 22 Dec 2023 10:02:28 +0530 Subject: [PATCH 2/6] Add Custom Function Definition --- .../CustomFunctions/_ASim_FileEvent.json | 548 ++++++++++++++++++ .../CustomFunctions/_ASim_ProcessEvent.json | 432 ++++++++++++++ .../CustomFunctions/_ASim_RegistryEvent.json | 192 ++++++ 3 files changed, 1172 insertions(+) create mode 100644 .script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json create mode 100644 .script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json create mode 100644 .script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json new file mode 100644 index 00000000000..ab7fe1b4b94 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json @@ -0,0 +1,548 @@ +{ + "FunctionName": "_ASim_FileEvent", + "FunctionParameters": [ + { + "Name": "disabled", + "Type": "bool", + "IsRequired": false + } + ], + "FunctionResultColumns": [ + { + "Name": "_ResourceId", + "Type": "string" + }, + { + "Name": "ActingAppId", + "Type": "string" + }, + { + "Name": "ActingAppName", + "Type": "string" + }, + { + "Name": "ActingAppType", + "Type": "string" + }, + { + "Name": "ActingProcessCommandLine", + "Type": "string" + }, + { + "Name": "ActingProcessGuid", + "Type": "string" + }, + { + "Name": "ActingProcessId", + "Type": "string" + }, + { + "Name": "ActingProcessName", + "Type": "string" + }, + { + "Name": "ActorOriginalUserType", + "Type": "string" + }, + { + "Name": "ActorScope", + "Type": "string" + }, + { + "Name": "ActorScopeId", + "Type": "string" + }, + { + "Name": "ActorSessionId", + "Type": "string" + }, + { + "Name": "ActorUserAadId", + "Type": "string" + }, + { + "Name": "ActorUserId", + "Type": "string" + }, + { + "Name": "ActorUserIdType", + "Type": "string" + }, + { + "Name": "ActorUsername", + "Type": "string" + }, + { + "Name": "ActorUsernameType", + "Type": "string" + }, + { + "Name": "ActorUserSid", + "Type": "string" + }, + { + "Name": "ActorUserType", + "Type": "string" + }, + { + "Name": "AdditionalFields", + "Type": "dynamic" + }, + { + "Name": "Application", + "Type": "string" + }, + { + "Name": "DstDescription", + "Type": "string" + }, + { + "Name": "Dvc", + "Type": "string" + }, + { + "Name": "DvcAction", + "Type": "string" + }, + { + "Name": "DvcDescription", + "Type": "string" + }, + { + "Name": "DvcDomain", + "Type": "string" + }, + { + "Name": "DvcDomainType", + "Type": "string" + }, + { + "Name": "DvcFQDN", + "Type": "string" + }, + { + "Name": "DvcHostname", + "Type": "string" + }, + { + "Name": "DvcId", + "Type": "string" + }, + { + "Name": "DvcIdType", + "Type": "string" + }, + { + "Name": "DvcInterface", + "Type": "string" + }, + { + "Name": "DvcIpAddr", + "Type": "string" + }, + { + "Name": "DvcMacAddr", + "Type": "string" + }, + { + "Name": "DvcOriginalAction", + "Type": "string" + }, + { + "Name": "DvcOs", + "Type": "string" + }, + { + "Name": "DvcOsVersion", + "Type": "string" + }, + { + "Name": "DvcScopeId", + "Type": "string" + }, + { + "Name": "EventCount", + "Type": "int" + }, + { + "Name": "EventEndTime", + "Type": "datetime" + }, + { + "Name": "EventMessage", + "Type": "string" + }, + { + "Name": "EventOriginalResultDetails", + "Type": "string" + }, + { + "Name": "EventOriginalSeverity", + "Type": "string" + }, + { + "Name": "EventOriginalSubType", + "Type": "string" + }, + { + "Name": "EventOriginalType", + "Type": "string" + }, + { + "Name": "EventOriginalUid", + "Type": "string" + }, + { + "Name": "EventOwner", + "Type": "string" + }, + { + "Name": "EventProduct", + "Type": "string" + }, + { + "Name": "EventProductVersion", + "Type": "string" + }, + { + "Name": "EventReportUrl", + "Type": "string" + }, + { + "Name": "EventResult", + "Type": "string" + }, + { + "Name": "EventSchema", + "Type": "string" + }, + { + "Name": "EventSchemaVersion", + "Type": "string" + }, + { + "Name": "EventSeverity", + "Type": "string" + }, + { + "Name": "EventStartTime", + "Type": "datetime" + }, + { + "Name": "EventType", + "Type": "string" + }, + { + "Name": "EventUid", + "Type": "string" + }, + { + "Name": "EventVendor", + "Type": "string" + }, + { + "Name": "FileName", + "Type": "string" + }, + { + "Name": "FilePath", + "Type": "string" + }, + { + "Name": "Hash", + "Type": "string" + }, + { + "Name": "HashType", + "Type": "string" + }, + { + "Name": "HttpUserAgent", + "Type": "string" + }, + { + "Name": "IpAddr", + "Type": "string" + }, + { + "Name": "NetworkApplicationProtocol", + "Type": "string" + }, + { + "Name": "Process", + "Type": "string" + }, + { + "Name": "Rule", + "Type": "string" + }, + { + "Name": "RuleName", + "Type": "string" + }, + { + "Name": "RuleNumber", + "Type": "int" + }, + { + "Name": "Src", + "Type": "string" + }, + { + "Name": "SrcDescription", + "Type": "string" + }, + { + "Name": "SrcDeviceType", + "Type": "string" + }, + { + "Name": "SrcDomain", + "Type": "string" + }, + { + "Name": "SrcDomainType", + "Type": "string" + }, + { + "Name": "SrcDvcId", + "Type": "string" + }, + { + "Name": "SrcDvcIdType", + "Type": "string" + }, + { + "Name": "SrcDvcScope", + "Type": "string" + }, + { + "Name": "SrcDvcScopeId", + "Type": "string" + }, + { + "Name": "SrcFileCreationTime", + "Type": "datetime" + }, + { + "Name": "SrcFileDirectory", + "Type": "string" + }, + { + "Name": "SrcFileExtension", + "Type": "string" + }, + { + "Name": "SrcFileMD5", + "Type": "string" + }, + { + "Name": "SrcFileMimeType", + "Type": "string" + }, + { + "Name": "SrcFileName", + "Type": "string" + }, + { + "Name": "SrcFilePath", + "Type": "string" + }, + { + "Name": "SrcFilePathType", + "Type": "string" + }, + { + "Name": "SrcFileSHA1", + "Type": "string" + }, + { + "Name": "SrcFileSHA256", + "Type": "string" + }, + { + "Name": "SrcFileSHA512", + "Type": "string" + }, + { + "Name": "SrcFileSize", + "Type": "long" + }, + { + "Name": "SrcFQDN", + "Type": "string" + }, + { + "Name": "SrcGeoCity", + "Type": "string" + }, + { + "Name": "SrcGeoCountry", + "Type": "string" + }, + { + "Name": "SrcGeoLatitude", + "Type": "real" + }, + { + "Name": "SrcGeoLongitude", + "Type": "real" + }, + { + "Name": "SrcGeoRegion", + "Type": "string" + }, + { + "Name": "SrcHostname", + "Type": "string" + }, + { + "Name": "SrcIpAddr", + "Type": "string" + }, + { + "Name": "SrcPortNumber", + "Type": "int" + }, + { + "Name": "TargetAppId", + "Type": "string" + }, + { + "Name": "TargetAppName", + "Type": "string" + }, + { + "Name": "TargetAppType", + "Type": "string" + }, + { + "Name": "TargetFileCreationTime", + "Type": "datetime" + }, + { + "Name": "TargetFileDirectory", + "Type": "string" + }, + { + "Name": "TargetFileExtension", + "Type": "string" + }, + { + "Name": "TargetFileMD5", + "Type": "string" + }, + { + "Name": "TargetFileMimeType", + "Type": "string" + }, + { + "Name": "TargetFileName", + "Type": "string" + }, + { + "Name": "TargetFilePath", + "Type": "string" + }, + { + "Name": "TargetFilePathType", + "Type": "string" + }, + { + "Name": "TargetFileSHA1", + "Type": "string" + }, + { + "Name": "TargetFileSHA256", + "Type": "string" + }, + { + "Name": "TargetFileSHA512", + "Type": "string" + }, + { + "Name": "TargetFileSize", + "Type": "long" + }, + { + "Name": "TargetUrl", + "Type": "string" + }, + { + "Name": "ThreatCategory", + "Type": "string" + }, + { + "Name": "ThreatConfidence", + "Type": "int" + }, + { + "Name": "ThreatField", + "Type": "string" + }, + { + "Name": "ThreatFilePath", + "Type": "string" + }, + { + "Name": "ThreatFirstReportedTime", + "Type": "datetime" + }, + { + "Name": "ThreatId", + "Type": "string" + }, + { + "Name": "ThreatIpAddr", + "Type": "string" + }, + { + "Name": "ThreatIsActive", + "Type": "bool" + }, + { + "Name": "ThreatLastReportedTime", + "Type": "datetime" + }, + { + "Name": "ThreatName", + "Type": "string" + }, + { + "Name": "ThreatOriginalConfidence", + "Type": "string" + }, + { + "Name": "ThreatOriginalRiskLevel", + "Type": "string" + }, + { + "Name": "ThreatRiskLevel", + "Type": "int" + }, + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "Url", + "Type": "string" + }, + { + "Name": "User", + "Type": "string" + }, + { + "Name": "ActorUserPuid", + "Type": "string" + }, + { + "Name": "ActorUpn", + "Type": "string" + } + ] + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json new file mode 100644 index 00000000000..5df82be3141 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json @@ -0,0 +1,432 @@ +{ + "FunctionName": "_ASim_ProcessEvent", + "FunctionParameters": [ + { + "Name": "starttime", + "Type": "datetime", + "IsRequired": false + }, + { + "Name": "endtime", + "Type": "datetime", + "IsRequired": false + }, + { + "Name": "commandline_has_any", + "Type": "dynamic", + "IsRequired": false + }, + { + "Name": "commandline_has_all", + "Type": "dynamic", + "IsRequired": false + }, + { + "Name": "commandline_has_any_ip_prefix", + "Type": "dynamic", + "IsRequired": false + }, + { + "Name": "actingprocess_has_any", + "Type": "dynamic", + "IsRequired": false + }, + { + "Name": "targetprocess_has_any", + "Type": "dynamic", + "IsRequired": false + }, + { + "Name": "parentprocess_has_any", + "Type": "dynamic", + "IsRequired": false + }, + { + "Name": "targetusername", + "Type": "string", + "IsRequired": false + }, + { + "Name": "dvcipaddr_has_any_prefix", + "Type": "dynamic", + "IsRequired": false + }, + { + "Name": "dvcname_has_any", + "Type": "dynamic", + "IsRequired": false + }, + { + "Name": "eventtype", + "Type": "string", + "IsRequired": false + }, + { + "Name": "disabled", + "Type": "bool", + "IsRequired": false + } + ], + "FunctionResultColumns": [ + { + "Name": "TimeGenerated", + "Type": "DateTime" + }, + { + "Name": "_ResourceId", + "Type": "String" + }, + { + "Name": "Type", + "Type": "String" + }, + { + "Name": "EventType", + "Type": "String" + }, + { + "Name": "EventProduct", + "Type": "String" + }, + { + "Name": "EventProductVersion", + "Type": "String" + }, + { + "Name": "EventCount", + "Type": "Int32" + }, + { + "Name": "EventMessage", + "Type": "String" + }, + { + "Name": "EventVendor", + "Type": "String" + }, + { + "Name": "EventSchemaVersion", + "Type": "String" + }, + { + "Name": "EventOriginalUid", + "Type": "String" + }, + { + "Name": "EventOriginalType", + "Type": "String" + }, + { + "Name": "EventStartTime", + "Type": "DateTime" + }, + { + "Name": "EventEndTime", + "Type": "DateTime" + }, + { + "Name": "EventReportUrl", + "Type": "String" + }, + { + "Name": "EventResult", + "Type": "String" + }, + { + "Name": "EventResultDetails", + "Type": "String" + }, + { + "Name": "AdditionalFields", + "Type": "Object" + }, + { + "Name": "DvcId", + "Type": "String" + }, + { + "Name": "DvcHostname", + "Type": "String" + }, + { + "Name": "DvcIpAddr", + "Type": "String" + }, + { + "Name": "DvcOs", + "Type": "String" + }, + { + "Name": "DvcOsVersion", + "Type": "String" + }, + { + "Name": "DvcMacAddr", + "Type": "String" + }, + { + "Name": "TargetUsername", + "Type": "String" + }, + { + "Name": "TargetUsernameType", + "Type": "String" + }, + { + "Name": "TargetUserId", + "Type": "String" + }, + { + "Name": "TargetUserIdType", + "Type": "String" + }, + { + "Name": "TargetUserSessionId", + "Type": "String" + }, + { + "Name": "TargetProcessName", + "Type": "String" + }, + { + "Name": "TargetProcessCompany", + "Type": "String" + }, + { + "Name": "TargetProcessFileDescription", + "Type": "String" + }, + { + "Name": "TargetProcessFileProduct", + "Type": "String" + }, + { + "Name": "TargetProcessFileVersion", + "Type": "String" + }, + { + "Name": "TargetProcessIsHidden", + "Type": "SByte" + }, + { + "Name": "TargetProcessInjectedAddress", + "Type": "String" + }, + { + "Name": "TargetProcessMD5", + "Type": "String" + }, + { + "Name": "TargetProcessSHA1", + "Type": "String" + }, + { + "Name": "TargetProcessSHA256", + "Type": "String" + }, + { + "Name": "TargetProcessSHA512", + "Type": "String" + }, + { + "Name": "TargetProcessIMPHASH", + "Type": "String" + }, + { + "Name": "TargetProcessCommandLine", + "Type": "String" + }, + { + "Name": "TargetProcessCreationTime", + "Type": "DateTime" + }, + { + "Name": "TargetProcessId", + "Type": "String" + }, + { + "Name": "TargetProcessGuid", + "Type": "String" + }, + { + "Name": "TargetProcessIntegrityLevel", + "Type": "String" + }, + { + "Name": "TargetProcessTokenElevation", + "Type": "String" + }, + { + "Name": "ActorUsername", + "Type": "String" + }, + { + "Name": "ActorUsernameType", + "Type": "String" + }, + { + "Name": "ActorUserId", + "Type": "String" + }, + { + "Name": "ActorUserIdType", + "Type": "String" + }, + { + "Name": "ActorSessionId", + "Type": "String" + }, + { + "Name": "ActingProcessCommandLine", + "Type": "String" + }, + { + "Name": "ActingProcessName", + "Type": "String" + }, + { + "Name": "ActingProcessCompany", + "Type": "String" + }, + { + "Name": "ActingProcessFileDescription", + "Type": "String" + }, + { + "Name": "ActingProcessFileProduct", + "Type": "String" + }, + { + "Name": "ActingProcessFileVersion", + "Type": "String" + }, + { + "Name": "ActingProcessIsHidden", + "Type": "SByte" + }, + { + "Name": "ActingProcessInjectedAddress", + "Type": "String" + }, + { + "Name": "ActingProcessId", + "Type": "String" + }, + { + "Name": "ActingProcessGuid", + "Type": "String" + }, + { + "Name": "ActingProcessIntegrityLevel", + "Type": "String" + }, + { + "Name": "ActingProcessMD5", + "Type": "String" + }, + { + "Name": "ActingProcessSHA1", + "Type": "String" + }, + { + "Name": "ActingProcessSHA256", + "Type": "String" + }, + { + "Name": "ActingProcessSHA512", + "Type": "String" + }, + { + "Name": "ActingProcessIMPHASH", + "Type": "String" + }, + { + "Name": "ActingProcessCreationTime", + "Type": "DateTime" + }, + { + "Name": "ParentProcessName", + "Type": "String" + }, + { + "Name": "ParentProcessCompany", + "Type": "String" + }, + { + "Name": "ParentProcessFileDescription", + "Type": "String" + }, + { + "Name": "ParentProcessFileProduct", + "Type": "String" + }, + { + "Name": "ParentProcessFileVersion", + "Type": "String" + }, + { + "Name": "ParentProcessIsHidden", + "Type": "SByte" + }, + { + "Name": "ParentProcessInjectedAddress", + "Type": "String" + }, + { + "Name": "ParentProcessId", + "Type": "String" + }, + { + "Name": "ParentProcessGuid", + "Type": "String" + }, + { + "Name": "ParentProcessIntegrityLevel", + "Type": "String" + }, + { + "Name": "ParentProcessMD5", + "Type": "String" + }, + { + "Name": "ParentProcessSHA1", + "Type": "String" + }, + { + "Name": "ParentProcessSHA256", + "Type": "String" + }, + { + "Name": "ParentProcessSHA512", + "Type": "String" + }, + { + "Name": "ParentProcessIMPHASH", + "Type": "String" + }, + { + "Name": "ParentProcessCreationTime", + "Type": "DateTime" + }, + { + "Name": "Dvc", + "Type": "String" + }, + { + "Name": "User", + "Type": "String" + }, + { + "Name": "Process", + "Type": "String" + }, + { + "Name": "CommandLine", + "Type": "String" + }, + { + "Name": "Hash", + "Type": "String" + } + ] + } \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json new file mode 100644 index 00000000000..9795cd5ef7d --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json @@ -0,0 +1,192 @@ +{ + "FunctionName": "_ASim_RegistryEvent", + "FunctionParameters": [ + { + "Name": "disabled", + "Type": "bool", + "IsRequired": false + } + ], + "FunctionResultColumns": [ + { + "Name": "TimeGenerated", + "Type": "datetime" + }, + { + "Name": "_ResourceId", + "Type": "string" + }, + { + "Name": "Type", + "Type": "string" + }, + { + "Name": "EventType", + "Type": "string" + }, + { + "Name": "EventProduct", + "Type": "string" + }, + { + "Name": "EventProductVersion", + "Type": "string" + }, + { + "Name": "EventCount", + "Type": "int" + }, + { + "Name": "EventMessage", + "Type": "string" + }, + { + "Name": "EventVendor", + "Type": "string" + }, + { + "Name": "EventSchemaVersion", + "Type": "string" + }, + { + "Name": "EventOriginalUid", + "Type": "string" + }, + { + "Name": "EventOriginalType", + "Type": "string" + }, + { + "Name": "EventStartTime", + "Type": "datetime" + }, + { + "Name": "EventEndTime", + "Type": "datetime" + }, + { + "Name": "EventReportUrl", + "Type": "string" + }, + { + "Name": "AdditionalFields", + "Type": "dynamic" + }, + { + "Name": "RegistryKey", + "Type": "string" + }, + { + "Name": "RegistryValue", + "Type": "string" + }, + { + "Name": "RegistryValueType", + "Type": "string" + }, + { + "Name": "RegistryValueData", + "Type": "string" + }, + { + "Name": "RegistryPreviousKey", + "Type": "string" + }, + { + "Name": "RegistryPreviousValue", + "Type": "string" + }, + { + "Name": "RegistryPreviousValueType", + "Type": "string" + }, + { + "Name": "RegistryPreviousValueData", + "Type": "string" + }, + { + "Name": "DvcId", + "Type": "string" + }, + { + "Name": "DvcHostname", + "Type": "string" + }, + { + "Name": "DvcIpAddr", + "Type": "string" + }, + { + "Name": "DvcOs", + "Type": "string" + }, + { + "Name": "DvcOsVersion", + "Type": "string" + }, + { + "Name": "DvcMacAddr", + "Type": "string" + }, + { + "Name": "ActorUsername", + "Type": "string" + }, + { + "Name": "ActorUsernameType", + "Type": "string" + }, + { + "Name": "ActorUserId", + "Type": "string" + }, + { + "Name": "ActorUserIdType", + "Type": "string" + }, + { + "Name": "ActorSessionId", + "Type": "string" + }, + { + "Name": "ActingProcessName", + "Type": "string" + }, + { + "Name": "ActingProcessId", + "Type": "string" + }, + { + "Name": "ActingProcessGuid", + "Type": "string" + }, + { + "Name": "ParentProcessName", + "Type": "string" + }, + { + "Name": "ParentProcessId", + "Type": "string" + }, + { + "Name": "ParentProcessGuid", + "Type": "string" + }, + { + "Name": "Dvc", + "Type": "string" + }, + { + "Name": "User", + "Type": "string" + }, + { + "Name": "Process", + "Type": "string" + }, + { + "Name": "Username", + "Type": "string" + } + ] + } \ No newline at end of file From 070ca675b82e65c5f4c6db10447ce86928753f33 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Fri, 22 Dec 2023 12:27:47 +0530 Subject: [PATCH 3/6] Update Custom Function schema to add missing columns --- .../CustomFunctions/_ASim_FileEvent.json | 4 ++++ .../CustomFunctions/_ASim_ProcessEvent.json | 8 ++++++++ .../CustomFunctions/_ASim_RegistryEvent.json | 8 ++++++++ .../Analytic Rules/BackupDeletionDetected.yaml | 2 +- .../Package/mainTemplate.json | 2 +- 5 files changed, 22 insertions(+), 2 deletions(-) diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json index ab7fe1b4b94..6c22f5436f1 100644 --- a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json +++ b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_FileEvent.json @@ -272,6 +272,10 @@ "Name": "Process", "Type": "string" }, + { + "Name": "CommandLine", + "Type": "String" + }, { "Name": "Rule", "Type": "string" diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json index 5df82be3141..385fe995b9c 100644 --- a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json +++ b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json @@ -148,6 +148,10 @@ "Name": "DvcHostname", "Type": "String" }, + { + "Name": "DvcDomain", + "Type": "string" + }, { "Name": "DvcIpAddr", "Type": "String" @@ -196,6 +200,10 @@ "Name": "TargetProcessFileDescription", "Type": "String" }, + { + "Name": "TargetProcessFileName", + "Type": "String" + }, { "Name": "TargetProcessFileProduct", "Type": "String" diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json index 9795cd5ef7d..cb164cb85ef 100644 --- a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json +++ b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_RegistryEvent.json @@ -112,6 +112,10 @@ "Name": "DvcHostname", "Type": "string" }, + { + "Name": "DvcDomain", + "Type": "string" + }, { "Name": "DvcIpAddr", "Type": "string" @@ -148,6 +152,10 @@ "Name": "ActorSessionId", "Type": "string" }, + { + "Name": "ActingProcessCommandLine", + "Type": "string" + }, { "Name": "ActingProcessName", "Type": "string" diff --git a/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml b/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml index 3c1ffe88f16..5d7828035c0 100644 --- a/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml +++ b/Solutions/Malware Protection Essentials/Analytic Rules/BackupDeletionDetected.yaml @@ -88,7 +88,7 @@ entityMappings: eventGroupingSettings: aggregationKind: AlertPerResult alertDetailsOverride: - alertDisplayNameFormat: "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" + alertDisplayNameFormat: "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}" alertDescriptionFormat: "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files." version: 1.0.0 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Malware Protection Essentials/Package/mainTemplate.json b/Solutions/Malware Protection Essentials/Package/mainTemplate.json index a568b2606db..949742566ab 100644 --- a/Solutions/Malware Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Malware Protection Essentials/Package/mainTemplate.json @@ -890,7 +890,7 @@ }, "alertDetailsOverride": { "alertDescriptionFormat": "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.", - "alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" + "alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}" } } }, From c2e731936497ce52640c45baa1fcef310dd283fb Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Fri, 22 Dec 2023 15:03:14 +0530 Subject: [PATCH 4/6] Added skip validation for FilesWithRansomwareExtensions.yaml --- .../CustomFunctions/_ASim_ProcessEvent.json | 2 +- .../SkipValidationsTemplates.json | 5 + .../Package/3.0.0.zip | Bin 21601 -> 21866 bytes .../Package/mainTemplate.json | 864 +++++++++--------- .../Package/testParameters.json | 40 + 5 files changed, 478 insertions(+), 433 deletions(-) create mode 100644 Solutions/Malware Protection Essentials/Package/testParameters.json diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json index 385fe995b9c..c2ed309f8fc 100644 --- a/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json +++ b/.script/tests/KqlvalidationsTests/CustomFunctions/_ASim_ProcessEvent.json @@ -201,7 +201,7 @@ "Type": "String" }, { - "Name": "TargetProcessFileName", + "Name": "TargetProcessFilename", "Type": "String" }, { diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index 237f21180f9..547e553f372 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -2576,6 +2576,11 @@ "templateName": "DetectPortMisuseByStaticThresholdHunting.yaml", "validationFailReason": "KQL validation is failing to validate schema since Watchlist custom columns are used being used in query. This is a known issue when using Watchlist" }, + { + "id": "595aea5c-74c7-415b-8b12-10af1a338cdf", + "templateName": "FilesWithRansomwareExtensions.yaml", + "validationFailReason": "KQL validation is failing to validate schema since Watchlist custom columns are used being used in query. This is a known limitaion for validation." + }, { "id": "320e7a40-d60e-4e07-9ef7-798f5383625d", "templateName": "AFD-Premium-WAF-XSSDetection.yaml", diff --git a/Solutions/Malware Protection Essentials/Package/3.0.0.zip b/Solutions/Malware Protection Essentials/Package/3.0.0.zip index 4f2c1bf6766f9531cccdff9ea38f3a78a130c829..0c9e511f71a031dc2e8b9935bc426a440ec28aa3 100644 GIT binary patch delta 17318 zcmYhiV{~9m(={C1nIse2wylY6n-g0nHYV0Y6Wg|JCllMY-ns7Y`SGpQt9y0*s;aYl zcU7J0of6Q~GEhWC8E}YiARr(xAPIIUwTO$TNdHz1#{=?q9633>|r!GnGqTq$1hX!1Ufez>-Dvf1W88!QPb+TkI(Tp89TLR zZR^nla_pdh@KJyI2N|{UwzjrYrH5tUi&I?dO+gZWmRajfNej32a^S_$CdyzH4?Pj# zBrW5TqV>kMtyJ6OE4zNNf)jAFd2p-TT$wu_s43FCjE<#*ay&T{#2d6 z5>Q;9rAL3WvR%3n{Q6956C-6%zQ$neA>VB!9UuB5*=DU1%kGezvFni-Vb=gls@phDKg!1W_yYi28?kIDdwz}9*rp6}@w2v+im>!gW~@v^XeG^MIL%i}-8sC4 zh^jWa>8EHb&dKSIS$y&QCO=p`BwL$_$nFzrVMva)=ernS8yrz~f+OADXAfMu-0arJPW)V=dUZUOgGc(zf;kZIg zIdVv0_}QxYN%g8COOzxR!MUV(l0K03@6-0w7clYnQM*Sv_ZL73=!dm!l4W7+mXV6O z|CNwi#`F%P9B`>%mY>0D6GpBQw#e;rsH0R9xZKKo%^`qk9QrN^iWr{#7W|sxI$N?6 zPCt-(f<2VLTE4JM z_4b|-Q7Rf@cHtzr?D-tGPCl94D0iO*cX4b9kA`-!VvXH+nMN&c(nR25$=NAD+v8Id z)N_$fjSs->4VPg!ZX=^hzylS|;z3g@RS(xQBK#)5PF*}{Puj>+jzeWo5Yn6wN4aSf z0*hzCRMc)R-jYto+S>HhVw3|zHYUoBdJ0VQZ4|&n%QN#@rd|A@-OlfCu<=uyG%Hk{ zv>oxM;?`zqVwOZ1OtT$hpXci|V_zjkgo6MBT)2bH1Ih2GVo0%;Eb_jK|Fq!XZO8dp z7L&1Na|6mD;4EkVwxDVF9WA&SX;Z4uiUa`x84}Kw5ykK)2Z|`u$Hp3B){~Z&0)Pw3=8?)zdnJpY5uumCf@!N zP8B7$WL2#<*A~gTU|q@PL9guMk(YjMbBecP5(Ckm0MiM{9-y`H(0K_<#ke?kgCQ51 zaMRg&>2X){%h_XHtABk;u%p6KN98Pd#;tOF zEi|O19g+7{!lt+>zbW%#!z+jFY~!CQ`m@)EM#M+gZgru}iGYXJtbF^HEr(ikaZ|6+ zobAk771U!JAkn6Gow~42gu@-yTu*Z{*()-&b778X&-ry-_otvc-zvAk`avH58&VFz>br>1S^^Rnage;L5HK(@=-<$fuJF$^>7U1cj*3z!Z zr?<9Z)ykRMO~(a5n9xV&$I#7kufs+y4Do73XaUZPaf05fhq48_Mf`bU@6_atsAkzp z&S(f16Fj0AoQT`KD&I=660})V{$|UQke=ltKdT`FJ|6~59* zw;=Oq8y?_O!5JBMQwWlgdS7B8O$Zj7UUhz%f?m$%_~*<=mXyR9Vx1uS8nPA=5MqIi zKCs+D#ZbYmZP8pmL|A^e4M1_hir5Pc$^mh7a)igKyjbfN#@oldXl#((v>I)^aKw74 z@3XY1+aPC%if~09E=nSopjVhKY*F5{6h0zxKmPPXa|g=5VRm8%_zYZciWj;TgjJ@TY8s$3HV1E4TTC!7gWpZYXVhj2o?o_c)O9o0+_?sw+%?kp z4=%KvQXRHxLf`Map||IATQBpg=TX_C*JE}%{I2~Valh(rwsI!#HcJHruyCHY(INqk zuiLz#^D}HsoR$b&LhNY7SIs-}mF`RHuCZrV2Gm&3~xVX2*|=FdmlI0W@Y!O0l< zO?w$S=pi>O{bo}!n_q=SWTecI#JJqEuxOdMLH#D8c%$8O%nL1N>hC=-u5kIp_ioEysjW;1UXpv4QedDeU zjyQ2s1V=d1jgCV_t(`eRfy7ht`RvEla5Cf&g9BTL&S*ODOrV+)Z5M6XBz9|)d=`<6 zyp|tNb)yL9l;}D$J=c$(*XV2%K;w|9z))M*_p9SyZ=0Lha1}N{0kv z&9QbJ3MAJD$hjqw3nQzcu|#RDOPk^mW9z~_+OM* z+epms(4&-bsuhs%<^u9*x*fu#p`{O3%CkFLtV%MC17tM?Q^#)Duw{6@^_5=8$BmeR z$@uOJ1}qO1N7nfdnV;@KKh@=#J+KxtE``G(T{~WvW!4nUznZEMg@THST)7oUYsc)5 zDn?iJs51&_Y929Aqo=rm_65?Ex@@GEMM!HXKmui+)nF6|=Oq2E%Y7KOgm5SrOVlB> zS}i^XK#wn+#)O&DwqvO4<*j28w-g)-&9Zjm>#wHLr*7KfW9Cdjo!t`$?t1q{{X(YQz{kWj(UK3gRp%6~?_ zgAgJS-;UaTEtAwBVjyHRjVjV^lBp>@On zd~pz-Z{eK42Mu>%x39|5YDmA7!u+}Y76;QgLMjP?c+2m))@y2{z++<6PifGN$(D`0 zdBe%q*(+K7w_lO9xm*NtVNm279~bN9bK66VgA4=Eg2-zmoB}i>_zB1qvuVhQFxxmX z04TS_R+#XQbYZ;Zr@xqB{U9h1uhAl>cAy<;nMGtsyb1assqMk9FpAVj=TcCO!Qpuw zKM$cNemtj+pi9wtwwm@NY|#x96qcoeafvnHR1#JpxX`(xzc1rTi zQYcBIpcW%PT-{l9heO$;yc<=Bsk2!97yo8IQ5h8FYLce~&UXByK0w&$2p78cAk3T< zz*KC!)vyvykwh$F=;!RpCUyEF3+H8ziS$NZ+QcM@R=zu#c>dYK!tWE1rMQUJOC?Euy zDB0k&1DZm0Mz({_c;|;qWwXyuo~02{he>q?qL1ic(?yFAFpvIQ35KGd8uBSGBU$xl{>nnFpU&@JzuPUfvntKy6o2d zj@318rUTWYyg2O_T%#zRF8 z5pPo*hDQ`&-RX8>$^YK8_s{*?qg`tD;j5Ti{ZHzgOr4mHcG<$xVq#rG5}m|{2vL9u z(I}0wFD>-zMw5NON&_m;b`uREy=S~q_}Ad>syle#Lhe zzILI{3=Jya4czbxk;XqInUHj=SQf-NA>8~rM-&g64iIp(Y_1eqK%9<(&L#1l*9HxO znhAfLG2v>(qZ(pneilP$J5yOnd-azpI|yWojHyl={5{~1Knu)8ZA&XCy4(CE3A=pB zDkgbi3d^W41IeW{`;kZm-iMd+BwJ9NHR(!m1g9!c-P=vHm=5s@-rt*h=v8rocwkW& z8#0v2&XWFpKE2Cm+XJrG^)sv)lQHBDtRWLT%bEDOVQ-z+ zlVs>voce>fn;FP-W_IEqnW17%C8gZ5Eyl(MH7St1LzS>Ul={)q@OgIk#yAETNA{$5 zVU0_Byb1Jo1e5=%6l+KhZ$g_@HwU3(1rgXr@Q0pw)RR*0_Ojq)FE{9X(d+q32L8}X z{)nF9n7+cee0+#r)4%79$=J0{eT`7dWge!(Zd)!Jpa~QS`ADbrq$zCo77FR&6-c2y7|$=ht{dp(OEZ$~231$AN8+6l zcnNN(p~vRZR25^|l3HG3+daiRxq0ujyZ+Kpbw@ zE5AMG7|sE;5aP6mMFE7QE)IZx2F=T2A9JPC=_pAK1gi&87$rf! z&Im5qshqrEkNW!wy~_qbMOw{XbDr_qu3)43vj}~_rkMGT>j?|{pk0IXcll$uIp5V& zAL2U_4>{FxFX^S(rttrT3nJ99hFWyZ2^xq5N~jDl9P1rMhz}=^1eU zmm27zs%sp+{H{;R1=UEBeMkXP$|RTeB^y+IZMtd!%R#0?TtVFLANuUv%kw^ajgvh( zMd%K-IXQX1ntq`KiZ4xqV?ROpzS^Axhs7eH)*#Jdq=Tg3PqE)as5RK|ORT~GEJ0dG z8TLmcq0}qf(u!%dxF=ERy9&V%ZGs;-Ii$d+EHyG&GB5@%mGc--5N5KH+aeQ!9RR5> z643`rohPP1R;>g}PLn5gBH9B{#3%P~S#0#bJ#8>ro{FLr#BuJPii~UiR9`p<2U`>l z4Fb+7_0&SZF_d#t5enuc5*s+)+BR_lm!>5WFS*CDevjzQ3eo_(IuwER78)Or^p7oi zMF)2U-N6aQuz|Zw`d(3T52}A`!FONNEBYT>utLz2!nA@!QpI%UMz}eCQ<~*S&9%sZ zi!4bDAURE<`cs%2{vHf>MY)|{Xt-BDa{Gix5*hUm7bz{2@Fb@NG%x?*A{<7T0y0+a z{wT4JQdRQ~jP+pmGhP9x)oh)(7sdflwe#NPj-PMBTJkBL>)@FLmK@7@0xMnPMNv&$ z;N@}=a(js+w^*hGeZc8Q!5>7LPcU|M%|oqi(|I5=pB=+B>ax-9YnrmDNup*bA^HpO zqhVN~pWM$^MBwQW#$ss^iq!TC`nO51s+Bv-Q*K1A_(ef|S6hI5RFhC`@}t%iL33P$dCbygWJjTtxgsSkrXXc9XO}s4YC&bX8|OJS zY8&PKw%@*yTPYF@ZXu2-E^;Jh=HCi@gm!(sQc!3U_9V>>N^NfoM3g6e=V9w8L;i)- z3q#!FCCR@uY>EK6c(o{CJQ3H*yn|JlRXj(Fja7ADKYKt?=JfxIm?X901I8yh`wF-R=%4ochJZ&QjBp@3@ntolI1%8ju6+BKWvw@pqce`q!`YS+FT;a z-+SOei0>Y5A83~u{q3V&M{d&4&{&Or?WP)I?FOY$Hl*W5f`AGK+G89$v7z4}%o}ndYV??o8IwE-J|7dEUR@3FxjwqIU7W5xY4b%p6h0ZC8;1O~RFjxDv z(ht-!tr&yyncy%Aqi5}U4E^~RS(FN3@R@LePp{D5M2`=!J|gtDq0NxsU1b;fUbPIh zz`SCZje6I$4B3^L$JOWXeaPtMcbg(A?|1%rcoo^@PA^s)H*Dsf+tY7onmSwY(>urUXdjy;hgT5NmDub-oifNYV10RZ$?hZTi z&kCzwcfs_O{3fA;p-u!Ty<-7+Y{Ni2MO7=KEgT@1Oy4zZ5u%-?VORtoN_PN{YOa7 z4)wY#S@tOCBNsXZPo?orHgU4ayBgGR-`e|KD<@9&!V_^{rjoh|0HQEpq1u-iqh^9H3p`BX4oUzzH_jz(eg ze%4*x-`#MMgwrqg-8AP`eAGQwP1i3NX6ZWA+iX@tJo{+O#si^BPPfFOxUS#(xkpsD zFa?l*?%d5_V%|DVNgQ|7CfKIkMxPRvgc=TY#w$P>W){LLsqG<5BAR%9?9A+@NqNo@VR?e4c<=?03{k);S}6(#u|^eC z44`rD{xwV=FPr<=H0`^6=|$!+E5PK-J5_~r%08oLAGViL?AV{T7bPP&^hLLSe)Dfn z5_Qtz5bgn{sWH;d82GTm@Y%=x-QojThbNtWWwX&7^w#|w$Zv+LKL{r8UR#soRmNPo zb>!u^RNv1J*wHvZi6@VI_O0p)G87?hic0UUXH1%&^8&RXE z0JP_B{K4SGF<5olg$TYV)w6#{bLza-$Pl_wAr>OP5x>-6X#k9lgl-vbtp*CBbcWZRlGa!${MEJ!_68E)>rQjiLP{K8t4x)4{KP557|6^NngClz10?T<72PPO z%fGH5c%907IZlxrQ`~#h|DrcX*tLeoqIMSx3W=;H@>3_~t5>@5y$?9kykSB{DMGz< zhRK5rgP#(0sgtq07vuCkY$bi#v$|?%F1Lu0AU!EanA`g7`M8)|z;|;t`+Phcd%w7o z*jxI1YcxIv!q?w7-U|ZvAunEa z0{7~n$en7hGpUE7?gD)T&%tT2>=JKRAWvn_R9RQ6F$7pb-GAuZKi8DoW_>xm&Xihb z@fmt3w|5Vms)GZ&T?Aicu0wIV7&nm2ah{TAa&=<0J4mW{j6?dlfl<7{KX~p{#ec=V zopHN7DK*sTOVMhrDuPwBP6HD@Q{DXpvangh@jNel%U``tQ^xVWa0P)^+5zOzz)(3V zw0VIqk-#M=;>Nf~2fvp_e(ZHkmEEU|mV!x>OL!{M%^a~l&%hN{Ba*yBJSBiq#Xa}0 z!1E<1l|M~~;31a}fQKV9h4I8=!WL-D=pm{{^9kbhqg_=^Tx?V{_g-vlo}}1a4Ie$) z71~AW&^miJs~W(y$#HS22q*I%(ZtVnd zQr-J_HK8deuD&I7n-;qxaXN03W5QV6qwTq8Pa;f{$_(*Mlez5-cQt0vxx;r=8+ck? zTMP%$H2Lj;6UUQXyT*+^cm?zLKM|y5w3KJowueX3&90MswTs!O9$$D%)q*|cA_O@( z6S}6;7fz%A3AK7)&SBf>IxkLFz53Kv?cY>ko8;maV>aYB_L?*fhwQ2+V)*UZ>@J3~ z=bwFBYn?Ci-pyq=-A;y(3iDh{1Z_Fp^dIWpZK<8zPUFVo`7K}w8%e#5y0R-s+Y@(2 zE|X%<3%TlA&!R%Qg4fSqzUgUg)l>2^`1pxy9ljR=h4-d!+2>RFH>TqjdfVPRK2XoI z2IJ}jZ(mgR+l*#bnD2PtQyb(zcEp(e5||6ml9B9cjeBZI*iSF`|4m;w$XTAl`)i{X zg0<4uL2|p?WjAKR3@SVh}=381-d=yhuPZ%&vo3(Z}JgX!-* zcIB5z9|-V*I}m7+sEx*wn9QWppi|L?ZaM?#xK}i_t5=PwDwAz{Q-8d<7lIqEF1`3zZ?DYwe9!3OjL`(9;qL8>CJT-azU+@93!b~IPU>pL-k2774I-7iWUxd5#svwe zV2~T43fy6JZ!q}2eY=;;X?d2!w|PFQi?ja2;)wG;o%Ye`1ch-J++9DfW`^QN_VN0W z)uYXo^SZI0E9GU!hs2Cq`-8vY0T34ZK2~vIw)Dti^EN-Sh7_8_45`s<3|>PwvKA{% zwV>f6h2jC|B3Vo+y7q~x{v4;6za~>#g14ndlshr`hF4}|Yy(%07(rnN-7UzqfUgPC zDym1!0N+-J;*U)R2ex-Sn}epL0a|h)CYMd8+IuL znmmU!&l876Dyj_3+_!P1V3%T77l|LRtgG?R)TP;hW-j#XGDWAl62%_{;D%48(!&9=xas>J>F*?|b$_eEl0w&nkUh!!cf+pWX>;LKY~vklRK!j2y~EoR=zZ8zAnzQ|Yc=c?!9< z{CyzjXLxp?T}2bnIC*q)zvZePJ*rs`%HDQFOJ8Bj1%t|OJAmSKQ)IEj9@UEzh%B?+ z$luDz2vAJ0FG$U=yskCYq8HwXV)nhU3yzAO`a(Vn*`)>IHm%DHD7nbPWcBB6GFz*c zYCsT-Em@wsCXPWeW}(!PxuLo@6dPYy$`3@5GK&Rfe?3F~1TFPwD8{cP)VCBZ z3~AhZ(!W(*bL=r9e32_UlBT)n9VHIF$j^OvY%Q-a2*}o=FxEPJn>C+O>b_WRDT@T3 zQ(yW zCUv1NuI^&=?djdN35T5FRu87F$0ntAaynm(g!da(np<0KS1Tx{LTs$CK~Ilm3GOzj zM;42>>*8tk>kP3*`n;MNX+12C1z`oP@%Pa?dwct<{r&yt=a$z^h_JOmJJv+VVyulKv)l#*p6i^$EQ_op7GE3$QR(hVg@=}L@Zsz4o z7Uy@-mfst_hGVlA+&I)q(TlVSbMf7ohmmYYp$T%ZfPp8xh3mDf&!easlMaC^uaRJ@pLc(}_S-uRZMx6r7Uq`Z+q=ra$+o zegX#m!Y8T~oOh+FLBS317sLh>vM2314$HL?g3fO2gSg z$Zn?oJ@I38kK>R}j$wux)3yl3T=`&uWijFW6jaE?uU2kWznZa%Q_57_W8;TXX)j*2 z%P+qk*Zs`Pzoqo?TY=?rB&H0>Y&`x>@&ts~nRd#cuX&Gxg3QY-QerlbD{y`zR`f*F zyW0QGZxHC6=~Bm#zk8?|gK`RxF%)}8n&AKNa4{sb^px|(gEwE;x5$vKgu1^vt-GR|`uitHg6izQE$f zt3ULV;KLuJ=!WAYG7oMy4e9?Z&j$LGk8FGGpHnv=SGHnxdYnhX&q0b>DevKNz@oc26qf%A zmPXg3Ro#SSQ?m}KIseuKbRU~KFOw9h<0G$cR6%zm5EbO$Qno7;dNf z;f4IM!9Pdi>BbtVmZH6 z%=Cg}3tdwu(gY#Rrap)MbKe@X%T_GcTy;Hm?}u-cXTMv0adGwS5&bf%aW0n*a;@jP zphnCI-j;4d#SP(N>ae#VaI{ZduCdkO?Hn%RV;z$Y&_lPU-be0<__mIGl?-o79V@`v zQkB&NOlBk1?D#)?!2lLctQ1U>nA)VVNb>T2)q$jFzYDt;W1YAjL1b)n>cC<9;#L_} zYeRUegy4?Qzn5}Z9b83c_DNEDQ~o2abW8{~!#%;SKQ%hWXWL)Eo8VXTin65_$St{B zv5M~*=p0>nOJM+imHO7jRc|+5VefqUv?!vcWi(IChT7q=_R;_-c705jna-+QP>!y< z56`V&pVV;Y^O4#n{ZO!_&$NT=^CMTgFAM&WUP4U;BJMr+pjm9KM{S>7{G45U(}hS9 zSF0pMC@-E(DH}4N136ft%`dQ`G86NQnraxDQ6XwlDEv3hceoKZ3p^eEc5aOfk_&By zil;@BN6JjNv&c2@X%K_Zt4i8GpcMLmCcod;yIIqK7YA4Jtrlh?t|Gc;GXiDIWy|Kw zDSl1lVQK?!L7N<-&T1?>jIU)(n*u#_V%lZugf(SnVvsSw0y5h`J>#3$Ik%2O_opQZ zjC^%c*%;wBk2C%Un38Y!eoN-RV){3%a>n0u!^$&B)@lmVoA~w@U#~m9844RkH8HxD z?B?tW+Zyu74RXU+(FC3Z&z+EF_poVCq4D!3&Q1;Ps@JtKji-bQlTDVk^VkNfi>X45 z*?YBGSXcx=n)EfVH{N-aA^}5vzhu)gv{aBmIywIRXLiwxpBc_~v=A2h$oL}IE_Ajm z5M{o4`1{7bP*3nR584Dh&}W>Z#~3!DjF!yJ3}oZKT|R$?DY54WDkyx;Yec$Bdkb%t`$FoN)ZT{|4TV;K_zC6-VCgb34X0H_}gK;-Y#NP?=PX{8GxBaH> zTugUska!5E*_(F8Ob@-hR3KQ{T;GOBj7o9so zSGF`o+my`Z!29RxWP9@}eUL#ni~!u2Xp9d4M;H8aYBY7Gg8f=3x=}K@3AFu8XGxro zTa+}zEKhd2#=#3p5Cyxd1HG&LZkEu8{P{YGg#~8z)?Sj_x{&)fX(FPOtj85_X?x>X z6}CpF(wxD-TFuD4-3xZ_5WD9g^l+a0m`;y_cba%+R-cZA+D(58rt|HbpA~{DGzJHV zbs%|zc`sr*4)qgdpJ4Ql@%f;exzAbld+&I}EJEj~UtFmG^vnGY70p^6VBvO2!{QKI z&c~^Ig3hQ0Djv5!iza|_yN|T;>6q!9N$pCg?j6G61RbBU*EQ^|AxK^fkOSXw=VX=X z^kbSR@NlGS*H0OINg3=F!(Sv$xskvI%Qj09CRYGeXwa~j;)KUGm1sN<$c`BF8|Bz* zK&c$vN?ni?N%#SV(H>}K2BLV!?zXLy^3B#7=Qbg9dhI#b5AjlJxeh#}Sv#NbeP+Lp zVn@2{zr+akOiMd=_t3h_nvjj1dRH86+LfYE58B?v;?@QA>!s}OKirEeFKmIUUr;tg z8jPSPY4QQ$Un^!gw;UWnSMyG7?1acbFxiF6y6gMPA(kK{D?W-p662{N_z+6*J#+=5 zM|i``?b&ekRgtd!dBI;x*LmxPb!zvuO7pR-U)AYLO_^5T*m&EmE?mzp8nk1~eK}+9 z&D-PGOlNfZI^|7@v)t^xy)yxKjju<@Y@Bn^igNyG(7%v>U4F*ZS-=MNxLh?dR*vTP zYd?uQDcZZAX4!R0K*!is%8l5?G=!_K+g-V^{cP@9UtQG~A~Oh>Wso7YWz3a13jRFl zO_8{>s&Y#1S1vHDR4_=M&IwuR3nN_BU}F)iPrAIub?aD2YlWT&!hZ!;Rl6t_pmhW* z+kB#;_-7thi{)P)Luz}@hJzP{J?dFIv0Fj+o(C zj|Yk|_-yPQ#&~kqk)IOjqUm4)O?sNZ%OtT4h)@R?XPg3G81Mpu_X*g zmAf~Xm|t$bHK6}I>U)Gw2YfuG1jBwTKiOaQ{E#~WJSzg`K2GiVmr>ECT=yaj4$jEA zo>j66aIK?1$(19#G!I7>t^ z&PlUWyWYBzRQb|nqC_RKWt4V%?L2;i&bnS@YrXC+cqMn3ml8$#J0mKnSs(=3TBMYv zb9Qj#e+5CAoWzAyzZmkop@vE>r!y z`1bUn_v*;|N(RrZtTQZH;jc8?EL7M z8e;pHLTHU||Jxp%g4;6gTO3{9-i4Yv{*dc~s9Uksk~7|?9_LRUj`c$EJ1}*nR#6mR zEQlXp+-W?ts}-vT6#m@;mf$aW+b;*+!aYDjq1$M1plZ08G_0vgJgXaJ=|GG*$9SLt zLzIl}AVbhCrleE{=TF?Y5G~^D918vae`@CtYc1F3+44XR5}(!_vGfH8MNGJ0kT&U) zyq+x9sf~iH%1+Z-A7=CEsUl1>?7fL=JB(e~kf#&LGN0rSWwc*l0SFRpS{n&-Gw05I zJN!oH&gmyN|8LT(UCq?F>-KhhtaW$#wd$zQPL@_C!Ht{8s3204(zSWjyPWycSQ09? zBwh~&Xsn6&SeZCn`pB4!4D5mY+F(aw9}i{x#zeb^+Cj&9moFPpF?U(6;8^?gxtXln zku|Wbewr^0R8R9D>6F}WcAHci)vyw6Y4cAvzTd<`ErQAQOo`h<>?sY+TvCOmfWG*2 z*oD6ARFAyt$fHD;HwMHtO@NPNR2%sT^7C>W9Rzhv9#Fr@ndsjEteaarl{F#u-gdmb{?=w*d zegkU3S3~EQA}Q{hA=39xOd16RS}9GxYNSDcQ1S4eWZBGkY>(3opuTQyx1YJnf7mZ^ zDwRM6zXmk$nZXX)5(~@6U5jD?_3E-U_K zCAZfDS9mf2<4y88*01qo$IY>lh3#6|B5}+S#*nR}*lzdCyT;3F-?b6-)XpoKEpLeG zX(!4QL2_0f&F?WNiOcS4At9^8ZNgBXzZdzvkNuaI8-uq}S2)tMdAGgu&!!-<$J;8v zHIdLCZSu?5%A_l6Yf+0Kp_cyZ9!mVLdk7%F#5Y(PF*TO8umm+xRYy3x#oF}ifI^}I z-TM{4XaOs9ov7=$D!|&}#|65#8f&o8%tWobPXi3{DuvwXSVd~?vg&2gle0?;lOGvF zRY4nlNSZfIyMJdz3LWUK$757qGo@p~xN;#m%ntRW%wvPZ`t1*D#+u0Z^ORhnqX4i< zWjj$W{@Vddsn9&wbo{rjr=PO+x3X=u0B-={MTKr(HlH)Y^lH+&=tdH5mVX5FQ;^K~ zN5s1byL)m2u)M z)mR(Gnq{i56=SYU9p`XYFFRp7FRu613UlqNF@Rat8gRS zHyXC@&i7=zp1&;`WhYH2XNWsTgLxZYkktp?d(NQ~-=d~#msLf=b9vNyu@J}jsi?6K zuI-xFQkYcNCZgl>Y|+L~RD3p-eV)dTS=2xO6};`+=7;$-;LR=~rk6=AH8`dQ!|52K z6u3cit|4@XGBSZt`lR0Hc3r@4zKGR4yt~<7|JSBFM>ge#7sL*q`0ASSfb#Cq9=MUw z=o&K_f0Hb}$hxuhk5Ok&iKo_5XBF94bojAA{3Ot#)a{CH z!W1Frq9Q+N(Rhu$#2|)B!%Al$7x5gdM<9uHC2t2?s#lA1(Z_MHq8|yatT$DGMk|lC zt}1p_z(fckZ0r0szGeMLmN zIv><{GCAif#e=zD)QCVjMoED++B2)DXyF1?Sw0+I$Nhk+YOVjz1h2NEd;ACv?=hY3 zx>2MX#P>1QitX~Q*^D|!!b_Lk_V16`Zsph>o)ON(bv?in*MuUz7{3~}PKK!*Q@PSJ z)lrY^p&E9ap}JwMW$lil%4V@cqd{^cSjTGWp47L0EC zp`$(63BzyBUbI4=(l98BCU_UxJf)3D7;B$>^y*=e-VfryHf^{&HjLz}7+g2{C18ql zIg3ls?kD0-p7)2`u_-MKi>)voggK+ipGHxG#U+8jvcc`R`bEx)&!sf~T08q2igbdZ z%*=P6J$s_uLv7$;>nlbf`&x2E%tnyL#t@Dia|gaBFVsvx5A5vN!flB*pi1y&Ib3wb z+(*h5%(7T?Jlhx@X~l$TBf8O})qWO!%NWr&Ce^}?py@lp!eP6E6whzHgeD;k-P4xx zjX+6RHcb|bQaw`ijp^>lpPXlt=9Qa006K1978Wz$p#DhMmu4TabLi>M3jI1^i# zDpyIe(KUr0g?lBbo04D35HZ`JjtSyhAq;5qpv75s)R^}lF>73`8qvX1r~~u%7a1(PWGB@Kxe;!)n_NcfU4i zHgDazsvnq0h-DE9q_sGwIhC;nJj&kx9$vnb1|(01;@GNNC>?Ts%2?(H63CT8IQLEU za}cOR9RvqHzO6(*#`pN9cqMlG!FG@2L)FW50wAPc4|wtDW@K5(R4kt#X){r4Eo+79 zgPGJ1EM}@zd$b_B?ZaY!nj5v^82Fo&F#cSgac3CI%?lSMSoOH-8kvMhAeu23x~5HL z6i<;d={tnVe_*=8TXHFlr*abO_nx;;($F05*AZFOuZlOQl{cef&9e6o?~n<=ESbrD z10oPaPuD2orYbBaRkk3>*eHZs8{gLk&T!kn*Rww~;RE`39}o-55=tQs4&IV^&84r4 zN2djQLnm3n1W5&shjW_V?Z*^c-tVy29b!gRPgD*l|3usJcwlDa><8M$X3-nvN3@>n zrY$9x^2UbYzU8cPh5#Q{QSTMo&i)q|fSoZ>LC>|Zu}}HfKyFQlN-nAO-MR}xXHY%Z z#}bMIv(PXSC$I)~>$jHi{=O=PIrro2fqwcTi+}(W-&ryX6)N}_1c#CNa(gBcwxS!{ z%ORPiA-Xo_jDrOHJHWT@F?9MqbNVsk1Ny}#hB@Hd62K#N*4#~~k?KLRtGI!SQSFc^redbzI*&;4t<<@2>$%+#G z=T%dayZbtCmRIqnEvNQ6eaFovU^QeayNVY?NpKgf6y`YLHkM zjf|y_2pk@QcX?_9Gc3eHlo{p$>yr(-zql5!+2F8>;T|KVpwP2B&3H56CXfz&{KLYC zF(^jhe3%i^Nuik5h{v9hv1>u%C;-35mh;fBZ7Y!YhWfd^>=-H9`-sa zB2YAsn^l71^%W3J(nSXWzKEhScRFq;-)iNsJCTGwlL&1B&|u&QZqtX;YeB0mpk)L6 z`o4?ws3a@NFb32|us{Z4TsEuJctff-jfn20=aw>R;@Xl{Jj;ZHGQ^JOX3 z*r4(+MW&U=a?is7UqnKD1uUN^NobxSA!jrfhy42a&5aGKe{V zL|%zgpqG;1s~U5j#6sE$)N`S$Th6agP7fGhRJ*RLsn7dmT0EBby(ogfAX0)&N`-zM zVA98hY8a+n2B}%}nfniBBURS7o0H^9-0_C`srBDB^kK{at1JEM?vvrHu0tuX8v&4~ zdPlSv#4kx3A~#AzK0A6_?7g3@WX4isS_nU4EsEN0L?{i-(7}zF2O5+$K7J4r-G1+) ztX4k_}x+=UpHk6>2 zeJ1vF1Y*w!5Vb?LLjhWG;`2n?_=)*^VPDLOlz+TkUCU$Ap& zazCrVWaFL8+K~I&<*u0bcg(-!wlyP?54+zuhWHFeZ68qkK-SmhzLz1bLX;k7`{@YI z+7Pw1N5@&zqJmgFm(Io)d8BwTtmXYeSBKT}EvBUrSU84w2rUf^iF<>Lyz1$J^1lc! zR4=zh-|c}r!(FW*MmjaF{10ZzK3n=9LNaiOo`|N zeg&To?~a-G1oemuBJs&=XG1t`t8JLr#}DgUvnaLIRxl^(3yxO;H{h1;wBL>?Nbvsx z0R#U0%KAwi>l1$p4}1(f@&mpScOk%vql|zx2prp@Jl_SugWx+MztU+Cghd)cw}uhW zhyE1we}(%F7DJ705`+$Id| z)P+86JRU@0n^5Hy1bp$SBY*;D+02eCh}TIT8Hl%w+d+S$?936VOgAhe`uIEVBe@Wp zq_~BPbd>E_i6~c?U2iC{O};M#iSS%y)0Eyf0k(04(QW8pyE6gfKp9cg5yAJLbNbZNJ@#qQzByHrqh}dWvqhq1#iL}A z&`NStEGrt8KMEG?2|+|;^IU(v9Mo+jMbA^hEXnQ4S499O9v02U zG~5Bx%~YnFw_>`P%yjcXFx^UJx^*k2Tggnf9t6|vRHoavV!EBobo)Ut-AQG-b1SAh z$xL@11k>GArn|Rdx|_^&cX6hDn-xvgX%U`BQawp|%a<2Y-pTFCS8uPpm&bE6mFFV5 zJGp<|1fH7@f#+5#&qY*sa=QsUw;lq|?NpwNXzt{86L@Yv1fDyoJQq>i$?Yca+<6E* zcT;&TqPLUVP2l+!dOL6<6k+)MgqYyuVp})_Ix7d5BOWPn6492kP@RRzO$CJB9(TG3 z+^PV`51g=$d(2@$`{3*g5mURhW+$?_Ml@V-zLEh*E56f`wuIs3FA+xp2Wuy7?l`() zrcJmL1PN;ZqCgL?w1tlhiaZJdHZ25oEeT2u_=9ABK=6oI=bY~~a6e5vm$3_%;otuU wP)h*<6aW+e000O8l5Uoh)>A?bl5Un)QrTR$$wB}CX@HX^R5b?BQ~&?~0ASk#5dZ)H delta 17051 zcmXVXV{~5K^LE@g4H~13Z99#f#E)8hE+H_mTbKANR2<;cWwoj1 z;InqY{R`pcEXiwx@u^K~(d=y4Iq60yy6vjuOB}7OL;$IcQhplNssp##_^11*dt3weT@gZ18v%Y1jg1iznxr?bUfRB{mZ=7k+Yu-1bKgomR6?t73`Y7#Wei zYXWyF%aqqq*=uLu*wrm+j0knaC%q8uG9;JcTOh0{B5OOC&H|k zUBsPAPCAz3XlxLr%HD4?MB3XoL7}xixvsljaKczDv`{&2jWSdyRaCK;F_E&;`mvCI zz^OJx*pT;j8>uF7?qvnEv}pS0*B{nBgsGo&1sH#>sU}1#Pb048iu7xLGm}XKHc}Q6 z`N$wO(XBp|nsF@stN$*CNzt9-hT&@-1jKe8Q~5wFv^?D=0$WH(i6LgGRo;0>8cod~ zVATN-95iN5eWd-$P53koUkRr<8WbV7^C-VjN~#NV)ABAfQ>p-^f99-I`(8&D77ou^ zf=hXeOpj-h%0`Gp-NV2mYJOY~;8XGWAF+tzElnk31c@{5P1svuD-T}Om+Z>Tmi^4= zR$sI#`ZYWEdcTFkWaa1wc^6nXo2NB}Q_OI7CX`t9aEWv-j}@S4@=YB4J~eAq*n76k zVh+@Qp~BERe@_O?Z&e(z4YUnvMz~5w>!3@McxR4SASN^xvJ4zr%t~ippa>+7!+WZO z$36`A=?iV7bYzto84c%4=6;ib6Z`=i^(&2i>CVV=W{4s$?MV|ozaEak^8|~4A=->W zjmnK=G2G2)XKcP?(5N@N8LgyE<3ioUsZ`UJ!#sTfH-R0nys}p~MSp5pByB~iUtP0w z@wcL%y^ZCPEtJ~TH2$8jRNbO+E&lMpMbMOVFcxJH5jhamK08~oug}dCxSCiRmv@yg zBT9d$#4R{&K18jin$UqskUR|-ObKRnI2-QSN*%OJbIXTIri99AOI)s|X>(}+^$ z`IDcjw1%@zucES|xLW_-KH*a#dvdP{bV4(4E~%*`I&oK+CN*(5hI+E-tfkXnJ(}9s z+g6q|afF9>I==U}r^>J8&C7lNy^rB4#-aS`FO&&9Se`$8^>KFn9qEK?5qZWjXW;Ex zCHH`fv$HWmc2VJEZ(E_grq$fvUSGJgK}~#7agX(=%5NX7`VUOzKQKDAwN*0*Ilu6n zR@OB=r=TTm&yX!nK&va8*6hL7&K$yPtId7wne-RuiQ%3+jZKY<%4@5leeLZZI~x-e z7r?XyMU0a}7*8G^`^q`y@@mETMM(7gdVrkloq3`KI2>r8)p zt%LpL9_HgjT9{{1NR#V=-WtzyAD`wqRGf{Ry_wU!Tw`r?!>eyySIRP3Yd!zEnx%zs z#pQXuq_DL!OJ94s^jhoj&W28NldEI6C*UgE->xOH)_TftvF^1)Sn;qV+BkVcL|<=u zoQ0E0efI0PQLEzJ1?XglvTR>aeSEZdS1tQ>%Kq?}u2ZvVasMiWS9C}c?#Y};d%@iA zH96Kw1nx?0VLq7J82k$}h$9@<)A2lzZz2K3-Ghavze{bq-etV0PR+{f?J&lJOADw`jqdDx zt!G15$-ov1_2FR!!81;rTr#dUkguC0UY$7awC;7>)X`Tzj~%dLV8g3xsPe;7BwMFH zqn}^RdHxSk?Eer={6iG4wZ!ueQRY8H8vh|0{69oS{~^lnEGpHnT0F_*UOLO!w+uiO zYDal(trMksBCZ`vNfG!TL#_W9vavC^{Kt^%KZacYV+ijbL$R7)asWE$Us_>MtMEcC zhPLmf>Dm6Yea8tk-x0JE&hWz8d10F!466=3&AqzO_E1BkvCz<5u3vufGI6}S`(+Ke zOAN*1DO?of^Y$c~tz|sR;#nRKYpd+~V^_~BQK$7?Gkb|~ynCVyM-$>*Z>P-ZSLb3U zo|t!rK;+f8iIZ8sZvcrHpi?(8qq3QeT~Z}k2nzPoaZK^n#X`*Xg`-H369Zu-S3yG(9b8lc{pSIqP_%QS zyk0o)DjB4CA2XrU9`a*Br+Erw%#Bq$bQ$PaN&bJL4p(?b2GMvI~I zEexOY$*E91YpHh&qP!WR>xzb32?ldt9G%r4yx*I8lr5%fLsh*4lJ_O|j>;H1pBfP} zX#}5I1f1SlLL?Hr&BZRCQwj)55b59kS-$Mj=A#Zi4g~3D!m&R6*i}W{MHkD?ZG$01 z;U#o^3b{{XqY}2z|1?@e1Q(Qxm(Y)^F;!ogh`NCp>84)NW`ar_4BN$t4*hK&_1l}- z=>(R#n^5{q=9k%bU`78nS{~*=&;9=8sBzT)(acQTmVtgVn<&%UFWWK3hE?>smf_-Q zpQNt99WdG*gj}rg`x7po^O1NWRpb3d=i9`~c&qExU{jm`*UTS+1Trm zi%N60(y1n70d`gQ3^!|g$iA9Uzlu8CYf)h(l3@JKVV+is1f4~NUC2ItrQLl(Bi68J zkLNo6_2i{BylK+`uZYH>QR!)T{dSwfl{YlYC(w4^$&ZuV?r7~m#de)eP+aVOf``r z2~47l!KK8X;EjK+DhLzJ0=Y(=x9bcQROGi?Gs7md+GY*AHNRlAAH4VK^)X z^~!bzsC(K{O=eMj`(Zq9&er2ysH{Mo3(!YSDwrN+YCo+abXt^Aw(&P!`LO}O3w!I9 zo=8b3bXEtSYq0RS%Q9JwSf%n_jUcAp??t#B@^H7N+$|*Jqc_E*ghW#Fx9+4Hs^u5s z!hMAB9zCNjtFhVefikBVrKy=h?&OI=eZk(akc#-?(&l($W>@&|Z+Q0yxueNPz-=wk zQFM*0sd>wEh^E*5B+5#s@ycuqcKlx9Rh)K2ZbEg5(Zjun82(PvnCogQd0JFC=|OO0 zsfMyB0aPUeN?X{BEiYxLELO?2VcW8;37=| z4{d){D!J<`7e~tq(^_t(kZgLR0w2#Acbshv^y(ZyRzLms(X!ZL1g%s7b?d(A8&?>e z6hNS8)Sm-I^$!Y#IT*p$GF#k9XFDf4YIPwwTiHQ9j8znkBFJ&V6dA%|Y|iin>a1O1 z)gy>8`9!3Qjf4$)dP^({UH&m~fHkG7dWIfZV@Qwqa20 zZV2Yntkeve66N^oTAu<|kG6?BSH3^frl6F`&EM(YuM|Com$;Fp8#Q+3JhkY|nLWyS zZVq5-ph{D+ta$KID0X;XxS_D|xE>L?c#o05}fXNItUBrxnQeTd z#Xz^iR-cQ8MtEpPtk$vFbEtSwp#}(8Yn%@}SDG4ASI43bhQQ}b;BVOwl4F_u(d3lD z*Hg9rY;7N9b`p%ilf^16kkP0RL3O0nkOJRCo;WetX20cS(OZ9Q56Ka;UD{yo*o zPYzC_KPJnoy_kjiVZl^xrEx2-8gIk%(BJOFs~&ht*5@r>vp*5!X*CLwH(;NsAV01- z5IIAkndkEDD>MqbFU(=P>8z>lKkwot=y0f#r?1#6%3+1DjlcK8c3b)$YW*@jK5t8+ z{Sin8L+L8U=s<lgY{!b8=~E*FaahH2+FF5U;nj@1Q6eo2Nk z_{vIzMv%wp1%d?;p1h_97cHF_^5Uo!yf*(~F_VhBYEzuF=1>2hhS8sl_4_(eQPz z_e}9e+1$d*LpK_b(rdVb1<8ihlG(#VEYo@39zwi zw?FIr=q43*e(&jpLx1K$*s1T>-nM)9>n?)7|DpF#UR)6+4=mOej0k#cK45z}{JA5} z`oo5p|2R~AOZcyNa$L(&JdIeX{7{btQR{W|X-nvJsv7S}CqTtAe7kVGd&?O^df5-3 zv-Qnv{*lGN)?b$T$7}nnTJfx_HucOcadd=;p5}~?YS)Ah47u<=gfnFUf-_}LCwAv` zxgxl)J0DYZ2hf+om-&uFhHUz7&sbryt&h3Mt&R9Lqxtm>OP5x)rLE_84aK zka1`I_{TgI|8_|Aliuq)MA6|92^*W zLVCv&m>`l%kpUp6GTv=zrGn3h@s*j=BOy2Fh;ddC1~4)dtn^8mnh>_$TPJF$xNB=t z?Go@cH0^@y-_m?aPb4t5iiSIT5PqSWsj1oj>-*IcqJ@zXp|nTW24IGYiQohw+1K+; z;|oToE|^m+5iK>F*FB!{K<`*~xAdmdZ-y80pquEyKBN-o!Y@*fAnchHe9f4`B?vc) zf%)th2EvZUt-EjyKvY%o?^RQ^XSD(4v60|Ov6aGNZF-DIm$+FyY)hh(4^!=}>3ppq zZR#mDNtxa7=LmsU+k&3J2>WkxabrtSgrf7AaP&WuP&y4~e8wiLl~hujc};mv=CEWpsygvy#(4>3 zqVPyrujD6`Gs4x(d45Jk5+mL#x?4VI58kaHk;jIQumX6BF7{y7}XhbS99Qkip>sz9$6{fbxI<^)6B3 zb@a%SxXD`{o0w7sW5=(e)we7K6`#0zf92=j9Sodwj#7j8LlyYB zh?J~F{!!kLzd6ala{pK)xi6BCpSXS2#JgjrxCpolrXV=^B_fvitrH;{^nV{62$?x@ zu;QsZb%B~9W*bUj{~bWX1RcXBZ3d%vipY56&u^iyrE^`$4ENMe=4)|EtKcG1hqmDv z2Fk!n5%5X@cu=h|hQ7h~KEs&K3BQ=me+esfbu9GJLbhky9MhRqna%-G=ufwyG=E9> zf|XQLg!mr5$m$N2JSAXzfL%zuvX$$ehdn3cT*8S7J~XIra0cjU4qO=qk86$!!7#IZ z?Ydv;0cZWg{z$m+MGP*iF#F5bzHC;?P1{2(af+wou6ny`M=<{`X6GwL(BfPROay}P zb!N1IbG~0V-di@}^C61Q8~KunTNe&LS6)a)w|QW$Hokc^_-h|BkweZlx4qkU!ycha zKE!O$qLlW!5t!%;`f(In%pE^;RJ@9pDy|`DS)n$1L@DYnQWY> zFbdsL8=y(fp#)d2J+VcboAj7ihGx-RJm$TqFiLn9M`oqTWM#6HhzyeQOJ9Mv|H&hR zhFt4bJg_k{LO-2?5;<_jPmEjJ3Wm$#UfaQ0TKXDeJ~r1Q#cCQlfS8{vVpJ*c&q~aC z&<=D_g#Tb^MIdG|I!2)GvqewkaxqY35&P^K@1bO_{YA`@95Ci3ZTn_k;Pbs5!B9`9 z1Ac|*((tZ>x?CVjnNv(-iZ>4A#Yauf@|$#J54T#S&kwWu_6Iedvw0QQmh5C@8{*l> zXjdghjot9dQOz~wAIxKD9D|Eb6)=0)nF`=Zu_8zPOR@ovkve&1v%bKl-|!{qLP_`g z$aTfIXUutKR;3kjs*}+`0EMYtc^(4PG?5#>bLg58rpa&1|0sh=EtUweP(2=Y7ex5BRlz! zB7Tq14vLdtI1Mnnf$pZV2ZQu)PK^LaDG8w@Wio2`5)Xcvbo<~8L0ms)wdaC{1+U-d z8VtLvOkQihorn;APbsCe4TE<4mUuuNG~|lJ7^&ZLW%gBcv67NyJR!FvFS4Towg`0z zeeUX}jzqLNHP}o(F_fswN59l9Mleu34ctaq_>aa)Pzi#9Pr?_3gT{3$h96IWzq!(% zvmq;aerMr|vZ5pxB*&f*!ez$p>ZIZp~XU7A=NH|K7DE=`IT5N>!a| zy6ZTWL>4cy$y)NBz3{9Oq$_X%*-f#%1X`5dLbA_yYt`d31g)g5w7QVcBz-@W`PlUl z)uVX4yT_g`SBUU18Re~$KGY|PR^LqDswp?R5y8SG<@>(T@6y~>ujn#ugsD5!^pK2h z;`KSxyP>XWU3lCp+Hb_6_=>NWnUS}#iQU>*8>pzt6>rzn_9b!oO~7pcP4-pg;v^$Y zW&@YKIF|}$pgbWwt1_PL;DzrGu<)!`277`mE{ED`prQ$4AAK(mDM5qhi#2uWQTp|v zK>FNPZHOxD#|srB*LqUzSz?}u(g?f{^(z$>UDVarNEOM>NytvW@Bl8cuK0K9HKw6d z_}1@-%|rs(li!m8-vs>qRb>b5e23`r)6?y*-uSi@QfdnMF)f_kKLpXQ)G;^W zh)J1$2Kt5a>k!-#%e4Vo~qr2tYd?>{GHw> zO!pMj{QhpSs#m2P{kNSjHbOq0>_Mv6JEb}GLFg0Q+zMn^zyBftY`2K(y>7pF&eu;w z^QI+QwsP(YD%X-%ym<929KrQ0yyoo$iX?8qy-P|=5rKI{gq~lK(&Jlxl0fMbcgjn@L)|ozJ&chUeuTgQ6o%89 zecBD$v{|yknt1G}DOqGqO~DhPDB)%NGdhsxA_|A^pUe8(7Wdh0NJ~8Y16sA4p~P1@ z3>YZ-ai~lQ=<}bf!)phh$(dYb1ZHLkX^ubHny^&V6aclgPA*9k6En-tAaf-mz7&yj%PLP@*}ih-5reF815|v z-Jum{2U*`;JcxS3LTr!jZ>rRsNoWi0uVk{58$c+ky_YA);H%69Kr0VQrdaCaz%qHg z)=oHw)=sb=efQ}IdVp-9{Lhnwf^g=4o{0YQWaME)9yF=ZNq>-U#c-4#QNU0PmYo&P z>{ayMu0zV0ClM98uT8h_0V2vf2W#N>`Rrw zu)7MZ&a2vJmiKfHUf@DUwDqT$RS69>Pf(B>eLBaX2H_!md-+W=?%w=Mg|izu>prRT zflc_sBDIhNSgh}Oo3E#PE|aRtl>z(-uu#cg{nPKf+?ijTpo)@Ixc#KX?Y<)wkhr}Q zbZ72!`z7xatB;AUX-tXY|NC8JC49GQ;UpNi$OCHp5lU!hiEFo1 zsa4@=W1LiucabSb)%qb2O!3f=6X5xE?2=X(!5z#>e&RRe4y?5X5m`B_2K~xB9PDQ- zRFk(U9(uow5biipm^6JB2&&TN*hqok z0KX-PNL@BiRj(grR&uH{UO>;yk{K3^@9j?xar0eWoP)?8{cEKf80%3MbMv(Xgekg8 z0V@o&+6`FiUnPR{zbHHxOe)JShVWHI#l9egmhlABUy{iHt}Dfhr=4U-Xil&oRbTEi zd=bqNI|^@$cDx;_p$^8$syeEv1>tXCs~ZO#Yn_E-D409637Mic$ZjP}Ehh$3R4NQH zdlYtRIuESj_`XB8f}Rz>bXzyV@mcX#KPvFC{*$wbCRQh!VZXX?YXg zIG`ASg;@yDR8tl|*a~;(=`bOOw#f7eSe#c&D^&!RfbR@~x(2X+LAKl9+2&4|YE{+TC-POHpfEA6*`>@o)Lt6ats~`jkaFwL{wWVt4WaW^d)zwHds?33cR)e{iSX>{Bo;LCCV9rK+L4Ft;MfktFyd3o9IIjTyy{I+OYpk0*1`JxPsUg-hV z>F9!Qtklj(=j3Esur=QWmBA(LNWoQHPi1pisZUKxYS!7`hp2pOXnhMVFJX zRh2|rcSoeXC7Pm5MAVIKZ#6pILrTQLS!c5V680fw|JshAwc$F!nnjG#h}q#*$Nfe8 zW4q@BUv+4x(HQxVa!E)CflcT*A;g{&XRv`gI@;fq&lTQ>2^RQ6 z%N77;hW>@Zb3+g>jii4`f7ps$oFR1abVN#Km-^l$JLK;cis(>vEb1Tce{sBTF_-JQrTge`aYJ#T|tz2EsP~Qu~y|t>4c<_xa?Jxxl zqw@D4OfiSKK+c5|@W5#l2S)kS_E(Rt&xGMbIq@TDuilTnoCfFdS`xXs)w8gzmyZ56 zgV*KWS*7RO!qcxTf)fYAV}zfRiH7Wh99V_(pLs7gcVK53ymgxQ0ndvL z%8zLqc2+qQSkJ8<5Lp2q5nXE~7E+x&vGeN(|daLBKzP@kC41u>eh-4WJH&_F*+wryjwPLy4IOJC5T|Iz< zut9y_LHFk)@L^kBGGzyTBv~$3^s)e5_Y1SR#E*}^xPyn+7vL)Ho=u$;MsibMbJi~_ z8(Ux-FF|591&+OEnQLod1e#4fz4k79eh)UkEXr<>4I~tMjoV2*-Ei^%%;|fXaWM;i z&@cE7%>xp;5ld7*&oPEqsry1RTSar4{Tq^spBob8#lFnX=0QTQ!>0N74$_M;pxNQaK5HMJYd zznE}**XwYuyp#E6wWwwOawbAhEH5kmMLFkoBzT8teF4SqTBR?TYw?zMfNJrjeN-W9 zJ$$Y&0H?#NOQMaU=Q%p~(ILw~^yN4M%%n*Cf%9Rjk=!>3;52r(AsOW)xp2 zpj)l~sscrF4WdRk4|@Zp9Z;3^`0J*+I?ejj-Ir%Bph^h$ril&ynl*k2+_#bZy6IQX ztb^A?cYO(rkvhr?R@rOqAuD+E?J?r1MR4~cL*w!rP&@33tS1zyK zd#Czfua4u4O24%1@QEjVfhmWH08H9Uv1I`RgSW2z@kj0Zd8@(w+ang2coa*a@7XkX z8sr5;SP3KLT+!1bY*_Ob^KR$C>6KUCi z@OsPOf3@*#a9a%or*kuH(=}z^-bIb!1BF6|y9Fbd+Np`nnd{%W5yvw+e6p=ecx;~D zee51qk3~)UFDYrw9a|_a^lt~tKcYHon^XQ|_Z5G9te$dQZkQe-`n(fAQRW0=JY%SX zt!6l4c4%1YGu}qpo=EUxE^>^Q9ofH$x#I(ps9NojLtEMscC>qWi%&aMJAj)MKye)y z;$GDocVAqsDeRA|A;SsD?>gt^wrIqrTe6>#jTLNfb!7}5#yOY>pX2wSfY2}b9**OX zX%*@qRI$vtWBd`s6HJ z+Y_FjopEDEKT`oqdX!!KHKF5KinQe8O9>Y3qG!3JIWh&&i-8KILYoAha-H&wb7s1P zJ(sa_?5c$mYP1JS!_CdB#2$_4Y|%4AAcNjbD-VnCRejBhYDXfZeO#j-0Pys3KbD5d zN05D064GY+28Gbi#nUBhb{Bz@qQ8exx$f@`$S<>&cCsdLFz4$YjngWY1kB}&E1q~0Nlw-p{uPw2+Kt5z#_C)J|g z@W-45AyzWx3c2fkARnUuDY|n%5`;&kiM%_qZ`!JpZ~o59N>AGqwf$~Pqq6n$=yzDP zF0`LIJ1g2>tZ1B7WJ|k$XI)4?7qdw6`3-l;9og=((z?E`qpSUXYIek?9-YGRr4s20 z!R=U`-ozWuugmGOf}&!$qSxV3#6jKG^(51#T`V}#rb2eeC$cUC&|I~?bXIom?ATmh zZ4Z{{fY{YZ5>q!7jD5g)pA9UCJh|51rw$Gr?NSE3e(`&w86pt*80$?hz4iU%=(SaU zR^)p?rbc-=j+j>iIAOIJ5-t$?luR)D zc9y6EBFb!tg1s6yPtu1p<~5XNijHuG5iyD>9G%%cu7Lp_M?=Ek9wslpv*NqI?M+5m zZI7+sby<0jlUpr{fpJ+S8hynBL6*EHV-bqG3qa?EQ3t1uN3n&9MY5`js53UghKH6H zxF~0+nQD&#UJX;VJ&Z$qb2%e8FwsXPr2|O#rg|dkd*?bKeA5m>=js&OCpdH&k6Q|k zp@bQ`GF9?~4bYv{+Dl86Bal_}L-fDq-TOcL@6n41CZMMU%o`RKoy@H(1H2;d+1Y8n z^TYRvnp2JQzo4fyGd|1gYS3x7QfU76M199n^1ZPFp#2Z2S*4*Z@XGNk>#rl6`_wJF z&ldAN&o#qcUg}*M=Zm`&mWq+m#=W`C<38*fdufE7Gc}}WQ&Ys~B{nCY{koC}9mv_j zK5rrg+Ck{qKMlExZ1kkUFG;?2A+|MKEnPf*0j({smfdT;de%RHR!i?)4OELN+A(SU zHQ#-JvUcr;z!Lso$7s@c_tH3@^t#phcJSZxE8a83_u$UIEIA%pdR;6V%h(^2M%${` z4(%Asr_nsC)2vd?uYm_rN(D6QiJC^h48J(0RzNLJPSZ7+(J4HFo1v^?JQ|zlk}GZi zx?^VWM^26yUgE+i@+SQJ6o;VsB8JxB8@oSFi8<836hBaeH3xC3FPJ)g1YbXM=cb}1)7dTQ^t&4ZqYgubM?vf z*-&gjiNPU*)ulsWiae9?N*Fm>lEb)VtJu;U9n!Szs2~l}^vu_P>i-1rKdFNEcTI(1 z-N?f?U379OY5D*Y0+)1EM}cQA%+Hp8J*<6mU>=>t@)bJ@rS#NV1~h&hoputjyeelL z%srlF4WqjOGU5Hv=wKrt$W*ZWdj3KtUE9d&`G4Xuc6?(k?Q=amJi5I$Z_Lm0gsnS< zZKNOD+Z_$?tG~PVLFw4ALg$$S6OBCk`BdhazOcSUC5n@~9nn)vX8`8}1a;zcxH3BqZ}_t%(gn!9Eb< zziLSUyhfbnwAsHQU(R;U-hUN{SeD~f`~vI$>@y>nhS+b5FDM&zFUoKoaW4{qtK2-W zs$4!x&m2(QwhEK+L1|Ods+<^^*J$RZQ8U}*O8O9bP^&@tp3Jh_mintis8PmDlzeD1 zaMDqHa{YjJfgqy@iOzZ1UF~_D!_F&-r@HM2khGjuisvx&D}S2V?tUW2U9B(qdi@&7MZE~qA8nX6~wrpNwlNXSm~5ae#I zj6GJ)?so$>QdUJwzro4^SfSY|!FOY-=gq(cui`W8mibxSe0ZUEm&5q^SeYobj{qux zoy_8%=Q37N+Ibe8Ogb`FDIu~${eNXG=tG!fwagV{cE%COg+7RE{!4Z4-BMBlXa?^ixk&SbGt5Ws*8VH4@5Y zF%JoC#xb-7IX^-jVS!Tg@uk8>-wQ=*j`u4ybGrvFQ~Ob7G%MmV?5v1_x(-RrcF>(y;DK$ViAis&Te{gxktqV@%X%-GtqaVd=IE`ekynR78^wNLu z?|$z;9AZiYBj!v&>cT=ASqF*|;Jn*be~zLBNrgvZEDGkFz8;fm-aBk#kH~y&;0>CxsSSj7z9knGI34F?6fIq+|Q~BkEm#3GMPhqf`L%>Aym!X z#N&WPS+>m%!v&Ks(EsL-Mk&6PPZ6eb6j^05k+#U1I0u|Jq)i1DEKt@Dz}JZ(lWiYr z^$`lc{KeFWT~*CWfp9=Nn(F?h(oHE2XUUo@7KD(zVk#xTOxhkug-VYd`eN@$}Vq4Avt8U;6P394GQ0A-+n>PbP zb(ILl(xpeGQOO#E4dRG)H%kU1E|QV*;x;|LYCzFSio4{jPS{qg>a-7XWl5XGmW z^$J^x$pM^YcGx_)l0!u}TLzmA-!XQq9X#Rz(BN$BrJo)C@2LHg6C}RWU z!3L>k-t3W7#06^GHLjiCQ#r)(dzp6~4KcfT2vQdiYXMLJR@WKNnDoD@`sWL0!i%LUuq*SX{$$L^?G zgRE$@fUEeaJ3Iv=bF@A+2%s7h3L$u~;cf^YU01}pTv6fv-XV-B zKY}9YS7v`|@-xGqNO%ucGSmn-8u|L`G|hZ;_!Sx>9&NFo=e2X`Z}*N@qBd;U*8Vh% zH+qw(TtXzraH{5BbJg{3UYNW9CjNTp8O$j=;zSDDpKWi`jYG85PkS}r zf7d>du9VKNhQ=QSU2NN-@%VkyKqt*LmB?J(TL=wb;Jw!o{7HhApfzeMv))m;3_9bA z*xRCMbDR_`rB0Pn$m-DJLN9~@(mvkM0oo-QqdS%zf1kJCgRg~eA`}98An3(_u>^h< zAL5avzrALEo+T@X9{M&=+0(E`9}*2Vu+ywtn?Rqb-bzo4*)Btq@DGr*Rd%S5TJVSr zgfusevF3E$IvtU!HPFlR#0-Sgd}_{_2mR5hBMl79yiJ|FPkDiVDm&^2 zI}7lVx>kyASDCXP8;#rc;0`fPk58kFCyij{b(eh#k*;Vma z)!`X8ZGL|*Y~fKjjSO0`y@Y_nR1W@Ztyq75f6y)3DB)O*T(CjVYvWKC=q(D5W+;45 z?p%FOY7sXBKHc6Jlz6zzH`|`oE)VuVMeSTquL4)g!G#xDYXrNGhgd6s{o_+96FHIX z)oT?Ia#SmY*n9B8591{WTlBZ>PxW(a)pu8*h~zQ&;PzlTJGgaWuW|VF{n+@ED9B~$ z{d~91D6Qq$bJ5+Iqv<)vK$VuNskqo#cHRus^_t32L7bKZ2hKgMjJ{?QbnM%QFHcv(3WycZsLT%}TPgP_*x%e6iP(@>$91Alt=vw&yL3c=aq1wy-txjq{nRCSddZi2w1B zT<;WT&S18xQNjes3Ma1P@3noFHW&L)HBg_2)I2zwM*g)_W284(02v5Q7yr4pSyNY+O?*LkPi^d-!uN_b)i9~Yx*CwxR zKBcALRavs6;iLCLl$gnlY!U538rd<5xOWt9Pwktg2}_mQ1u zRS+m7ss_M2be%=dQu&yWD3NIu9@&XhLiQaW;QPh@oFhEC%p-a}#)VK(QQ&~^BV`&b z#ESGy&;f!6!w`eQiI*S5`ZpLIG<m3i~5@y0p>Zo4bO+tzgjMFB|W1e zy!0;KwlDl zdM24^6Tw|bjk)<)TVIC!t5i0i8Cxa6HcysSv%8^`& z*DbM4oOC)`>@VesY2zu3@}Ap4vVg)jcPSUmniP?OW&-DU!z`8V2b2qfep3%=GoayHtA=D^(g`s||wgBdpZFzW%OOhJWQ(_-1Q>Y#FU|LD{Xu zf($fH*-QD0hMb>R+4}|iHOIqr{CNz#4x|b1@`OA^0wejvuCJFj3ddB>x0C<*uk|~_ zQB^WmVw(d43H{)b>abUaX)BPB7{9V$hQaLx;k<|CMOOJUhq{3|sI+^an(XMA8kXCy zDxgi|@PnN8=4%t1Q?|feQO+lgx+{op?h0T=J}KP}R0lnPZ(>f^Lkj->dA$M^f6bhW zlv@MZ<-SrA?TLkLk~LpRg*4H0;|uA*%pIXwy6V>z2ZN5PSqdB5tcvGl25r*ozNXgj zh?Az-2$GCEePJL;4M9@W?g@k+aVZZ-poysDNKl8-!}1epib8u-_q-L?m%{JfQ z1=+T|jF?trizWWMCR$f)>B9IkZT{|3yxX>~M*!Qn!QE{rV7D^`<3Jfx)DiyopL6=u z(>?ZSyM1$#B=4SO?3&$Yx2*UsS!in|c~>lJe>W`uE?B6rlwGePyIqBLxw3Y*3h!!# zY9mivu`2QDhqdfR@9klvT$o}&q%{I>|H#_j7a}7xqm7y|VUIgiu!)xt)A>Zn+rDW# zDsmP{yDIV4dC0mn7p+Tked^L$v@WgnsY`p&y0q7)E}cc|(pjInbQi5lcagey)*Bjc zf3qT0xg1Lg@2SV+ES90imRpzRqIGGmPhDDz)}^&Rb!jhJm-hP9rL$;VI_p!H?xJ;B zNRRmo%t948BL=uXm~oE~Smg+#ha)d`W@R|~;@<40LIoE`B;E&zQvm)2?m62z<$#ex za03Ncn*Ca{6Iym5PBb5-58sK};L>6tQF#10w1ng^-Xyc1@4LtHgg5^7Q4O}&(f21U z?m~?sw}Ova3gA9V0@=dObn;5k?;=(>ulEKxCZ?{#stb?d-~R_tO928D02BZK00;oM jewCBoR6-88ew9~C*{O}dK>z^rc9SnvH3r9100000Ji(}% diff --git a/Solutions/Malware Protection Essentials/Package/mainTemplate.json b/Solutions/Malware Protection Essentials/Package/mainTemplate.json index 949742566ab..345f831fdf7 100644 --- a/Solutions/Malware Protection Essentials/Package/mainTemplate.json +++ b/Solutions/Malware Protection Essentials/Package/mainTemplate.json @@ -38,7 +38,7 @@ }, "workbook1-name": { "type": "string", - "defaultValue": null, + "defaultValue": "Malware Protection Essentials", "minLength": 1, "metadata": { "description": "Name for the workbook" @@ -52,78 +52,78 @@ "_solutionVersion": "3.0.0", "solutionId": "azuresentinel.azure-sentinel-solution-malwareprotection", "_solutionId": "[variables('solutionId')]", - "analyticRuleVersion1": "1.0.0", - "analyticRulecontentId1": "dd041e4e-1ee2-41ec-ba4e-82a71d628260", - "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", - "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", - "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", - "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.0.0", - "analyticRulecontentId2": "7edde3d4-9859-4a00-b93c-b19ddda55320", - "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", - "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", - "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", - "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", - "analyticRuleVersion3": "1.0.0", - "analyticRulecontentId3": "fdbcc0eb-44fb-467e-a51d-a91df0780a81", - "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", - "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", - "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", - "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", - "analyticRuleVersion4": "1.0.0", - "analyticRulecontentId4": "259de2c1-c546-4c6d-a17c-df639722f4d7", - "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", - "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", - "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", - "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", - "analyticRuleVersion5": "1.0.0", - "analyticRulecontentId5": "f1443a87-78d5-40c3-b051-f468f0f2def0", - "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", - "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", - "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", - "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", - "analyticRuleVersion6": "1.0.0", - "analyticRulecontentId6": "056593d4-ca3b-47a7-be9d-d1d0884a1d36", - "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]", - "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]", - "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]", - "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]", - "huntingQueryVersion1": "1.0.0", - "huntingQuerycontentId1": "b43394b9-fa91-4d98-b331-619926a933bb", - "_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]", - "huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]", - "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]", - "_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]", - "huntingQueryVersion2": "1.0.0", - "huntingQuerycontentId2": "64e199a8-b26c-462f-a65c-09ed9b53a47b", - "_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]", - "huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]", - "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]", - "_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]", - "huntingQueryVersion3": "1.0.0", - "huntingQuerycontentId3": "595aea5c-74c7-415b-8b12-10af1a338cdf", - "_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]", - "huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]", - "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]", - "_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]", - "huntingQueryVersion4": "1.0.0", - "huntingQuerycontentId4": "4dc0aae4-6375-4670-b138-8c42490ba206", - "_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]", - "huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]", - "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]", - "_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]", - "huntingQueryVersion5": "1.0.0", - "huntingQuerycontentId5": "54b222c4-0149-421e-9d6d-da66da50495a", - "_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]", - "huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]", - "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]", - "_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]", - "huntingQueryVersion6": "1.0.0", - "huntingQuerycontentId6": "ab8ddb26-050c-40aa-aaf0-bfb7e3eeb05f", - "_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]", - "huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]", - "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]", - "_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]", + "analyticRuleObject1": { + "analyticRuleVersion1": "1.0.0", + "_analyticRulecontentId1": "dd041e4e-1ee2-41ec-ba4e-82a71d628260", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'dd041e4e-1ee2-41ec-ba4e-82a71d628260')]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('dd041e4e-1ee2-41ec-ba4e-82a71d628260')))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','dd041e4e-1ee2-41ec-ba4e-82a71d628260','-', '1.0.0')))]" + }, + "analyticRuleObject2": { + "analyticRuleVersion2": "1.0.0", + "_analyticRulecontentId2": "7edde3d4-9859-4a00-b93c-b19ddda55320", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '7edde3d4-9859-4a00-b93c-b19ddda55320')]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('7edde3d4-9859-4a00-b93c-b19ddda55320')))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','7edde3d4-9859-4a00-b93c-b19ddda55320','-', '1.0.0')))]" + }, + "analyticRuleObject3": { + "analyticRuleVersion3": "1.0.0", + "_analyticRulecontentId3": "fdbcc0eb-44fb-467e-a51d-a91df0780a81", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'fdbcc0eb-44fb-467e-a51d-a91df0780a81')]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('fdbcc0eb-44fb-467e-a51d-a91df0780a81')))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','fdbcc0eb-44fb-467e-a51d-a91df0780a81','-', '1.0.0')))]" + }, + "analyticRuleObject4": { + "analyticRuleVersion4": "1.0.0", + "_analyticRulecontentId4": "259de2c1-c546-4c6d-a17c-df639722f4d7", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '259de2c1-c546-4c6d-a17c-df639722f4d7')]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('259de2c1-c546-4c6d-a17c-df639722f4d7')))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','259de2c1-c546-4c6d-a17c-df639722f4d7','-', '1.0.0')))]" + }, + "analyticRuleObject5": { + "analyticRuleVersion5": "1.0.0", + "_analyticRulecontentId5": "f1443a87-78d5-40c3-b051-f468f0f2def0", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'f1443a87-78d5-40c3-b051-f468f0f2def0')]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('f1443a87-78d5-40c3-b051-f468f0f2def0')))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','f1443a87-78d5-40c3-b051-f468f0f2def0','-', '1.0.0')))]" + }, + "analyticRuleObject6": { + "analyticRuleVersion6": "1.0.0", + "_analyticRulecontentId6": "056593d4-ca3b-47a7-be9d-d1d0884a1d36", + "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '056593d4-ca3b-47a7-be9d-d1d0884a1d36')]", + "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('056593d4-ca3b-47a7-be9d-d1d0884a1d36')))]", + "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','056593d4-ca3b-47a7-be9d-d1d0884a1d36','-', '1.0.0')))]" + }, + "huntingQueryObject1": { + "huntingQueryVersion1": "1.0.0", + "_huntingQuerycontentId1": "b43394b9-fa91-4d98-b331-619926a933bb", + "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('b43394b9-fa91-4d98-b331-619926a933bb')))]" + }, + "huntingQueryObject2": { + "huntingQueryVersion2": "1.0.0", + "_huntingQuerycontentId2": "64e199a8-b26c-462f-a65c-09ed9b53a47b", + "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('64e199a8-b26c-462f-a65c-09ed9b53a47b')))]" + }, + "huntingQueryObject3": { + "huntingQueryVersion3": "1.0.0", + "_huntingQuerycontentId3": "595aea5c-74c7-415b-8b12-10af1a338cdf", + "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('595aea5c-74c7-415b-8b12-10af1a338cdf')))]" + }, + "huntingQueryObject4": { + "huntingQueryVersion4": "1.0.0", + "_huntingQuerycontentId4": "4dc0aae4-6375-4670-b138-8c42490ba206", + "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('4dc0aae4-6375-4670-b138-8c42490ba206')))]" + }, + "huntingQueryObject5": { + "huntingQueryVersion5": "1.0.0", + "_huntingQuerycontentId5": "54b222c4-0149-421e-9d6d-da66da50495a", + "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('54b222c4-0149-421e-9d6d-da66da50495a')))]" + }, + "huntingQueryObject6": { + "huntingQueryVersion6": "1.0.0", + "_huntingQuerycontentId6": "ab8ddb26-050c-40aa-aaf0-bfb7e3eeb05f", + "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring('ab8ddb26-050c-40aa-aaf0-bfb7e3eeb05f')))]" + }, "Ransomware File Extensions": "Ransomware File Extensions", "_Ransomware File Extensions": "[variables('Ransomware File Extensions')]", "workbookVersion1": "", @@ -139,7 +139,7 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName1')]", + "name": "[variables('analyticRuleObject1').analyticRuleTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -148,13 +148,13 @@ "description": "StartupRegistryModified_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion1')]", + "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId1')]", + "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -220,102 +220,102 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "ActingProcessId" + "columnName": "ActingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "ActingProcessCommandLine" + "columnName": "ActingProcessCommandLine", + "identifier": "CommandLine" } - ], - "entityType": "Process" + ] }, { + "entityType": "RegistryKey", "fieldMappings": [ { - "identifier": "Hive", - "columnName": "RegHive" + "columnName": "RegHive", + "identifier": "Hive" }, { - "identifier": "Key", - "columnName": "RegKey" + "columnName": "RegKey", + "identifier": "Key" } - ], - "entityType": "RegistryKey" + ] }, { + "entityType": "RegistryValue", "fieldMappings": [ { - "identifier": "Name", - "columnName": "RegistryValue" + "columnName": "RegistryValue", + "identifier": "Name" }, { - "identifier": "Value", - "columnName": "RegistryValueData" + "columnName": "RegistryValueData", + "identifier": "Value" }, { - "identifier": "ValueType", - "columnName": "RegistryValueType" + "columnName": "RegistryValueType", + "identifier": "ValueType" } - ], - "entityType": "RegistryValue" + ] } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry run key {{RegistryKey}}.", - "alertDisplayNameFormat": "Registry Run Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})" + "alertDisplayNameFormat": "Registry Run Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})", + "alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry run key {{RegistryKey}}." } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject1').analyticRuleId1,'/'))))]", "properties": { "description": "Malware Protection Essentials Analytics Rule 1", - "parentId": "[variables('analyticRuleId1')]", - "contentId": "[variables('_analyticRulecontentId1')]", + "parentId": "[variables('analyticRuleObject1').analyticRuleId1]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion1')]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -340,18 +340,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId1')]", + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", "contentKind": "AnalyticsRule", "displayName": "Detect Registry Run Key Creation/Modification", - "contentProductId": "[variables('_analyticRulecontentProductId1')]", - "id": "[variables('_analyticRulecontentProductId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentProductId": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "id": "[variables('analyticRuleObject1')._analyticRulecontentProductId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName2')]", + "name": "[variables('analyticRuleObject2').analyticRuleTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -360,13 +360,13 @@ "description": "PrintProcessersModified_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion2')]", + "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId2')]", + "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -430,102 +430,102 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "ActingProcessId" + "columnName": "ActingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "ActingProcessCommandLine" + "columnName": "ActingProcessCommandLine", + "identifier": "CommandLine" } - ], - "entityType": "Process" + ] }, { + "entityType": "RegistryKey", "fieldMappings": [ { - "identifier": "Hive", - "columnName": "RegHive" + "columnName": "RegHive", + "identifier": "Hive" }, { - "identifier": "Key", - "columnName": "RegKey" + "columnName": "RegKey", + "identifier": "Key" } - ], - "entityType": "RegistryKey" + ] }, { + "entityType": "RegistryValue", "fieldMappings": [ { - "identifier": "Name", - "columnName": "RegistryValue" + "columnName": "RegistryValue", + "identifier": "Name" }, { - "identifier": "Value", - "columnName": "RegistryValueData" + "columnName": "RegistryValueData", + "identifier": "Value" }, { - "identifier": "ValueType", - "columnName": "RegistryValueType" + "columnName": "RegistryValueType", + "identifier": "ValueType" } - ], - "entityType": "RegistryValue" + ] } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}.", - "alertDisplayNameFormat": "Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})" + "alertDisplayNameFormat": "Print Processor Registry Driver Keys Modified on {{DvcHostname}} ({{DvcIpAddr}}) by ({{ActorUsername}})", + "alertDescriptionFormat": "Process {{ActingProcessName}} ProcessId: ({{ActingProcessId}}) modified registry driver key {{RegistryKey}}." } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject2').analyticRuleId2,'/'))))]", "properties": { "description": "Malware Protection Essentials Analytics Rule 2", - "parentId": "[variables('analyticRuleId2')]", - "contentId": "[variables('_analyticRulecontentId2')]", + "parentId": "[variables('analyticRuleObject2').analyticRuleId2]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion2')]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -550,18 +550,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId2')]", + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", "contentKind": "AnalyticsRule", "displayName": "Detect Print Processors Registry Driver Key Creation/Modification", - "contentProductId": "[variables('_analyticRulecontentProductId2')]", - "id": "[variables('_analyticRulecontentProductId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentProductId": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "id": "[variables('analyticRuleObject2')._analyticRulecontentProductId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName3')]", + "name": "[variables('analyticRuleObject3').analyticRuleTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -570,13 +570,13 @@ "description": "SuspiciousProcessCreation_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion3')]", + "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId3')]", + "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -641,81 +641,81 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DvcHostname" + "columnName": "DvcHostname", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DvcDomain" + "columnName": "DvcDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "DvcIpAddr" + "columnName": "DvcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "TargetProcessId" + "columnName": "TargetProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } - ], - "entityType": "Process" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created.", - "alertDisplayNameFormat": "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})" + "alertDisplayNameFormat": "Process with suspicious command line arguments was created on {{DvcHostname}} ({{DvcIpAddr}}) by ({{TargetUsername}})", + "alertDescriptionFormat": "Process '{{TargetProcessName}}' ProcessId: '{{TargetProcessId}}' with commandline {{CommandLine}} was created." } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject3').analyticRuleId3,'/'))))]", "properties": { "description": "Malware Protection Essentials Analytics Rule 3", - "parentId": "[variables('analyticRuleId3')]", - "contentId": "[variables('_analyticRulecontentId3')]", + "parentId": "[variables('analyticRuleObject3').analyticRuleId3]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion3')]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -740,18 +740,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId3')]", + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", "contentKind": "AnalyticsRule", "displayName": "Process Creation with Suspicious CommandLine Arguments", - "contentProductId": "[variables('_analyticRulecontentProductId3')]", - "id": "[variables('_analyticRulecontentProductId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentProductId": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "id": "[variables('analyticRuleObject3')._analyticRulecontentProductId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName4')]", + "name": "[variables('analyticRuleObject4').analyticRuleTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -760,13 +760,13 @@ "description": "BackupDeletionDetected_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion4')]", + "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId4')]", + "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -829,81 +829,81 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "DvcHostname" + "columnName": "DvcHostname", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DvcDomain" + "columnName": "DvcDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "DvcIpAddr" + "columnName": "DvcIpAddr", + "identifier": "Address" } - ], - "entityType": "IP" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "TargetProcessId" + "columnName": "TargetProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "CommandLine" + "columnName": "CommandLine", + "identifier": "CommandLine" } - ], - "entityType": "Process" + ] } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "alertDetailsOverride": { - "alertDescriptionFormat": "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files.", - "alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}" + "alertDisplayNameFormat": "Tool {{TargetProcessName}} used to delete backup files on {{DvcHostname}} by {{TargetUsername}}", + "alertDescriptionFormat": "A system tool {{TargetProcessName}} ProcessId: ({{TargetProcessId}}) with {{CommandLine}} used to delete backup files." } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject4').analyticRuleId4,'/'))))]", "properties": { "description": "Malware Protection Essentials Analytics Rule 4", - "parentId": "[variables('analyticRuleId4')]", - "contentId": "[variables('_analyticRulecontentId4')]", + "parentId": "[variables('analyticRuleObject4').analyticRuleId4]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion4')]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -928,18 +928,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId4')]", + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", "contentKind": "AnalyticsRule", "displayName": "Detect Malicious Usage of Recovery Tools to Delete Backup Files", - "contentProductId": "[variables('_analyticRulecontentProductId4')]", - "id": "[variables('_analyticRulecontentProductId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentProductId": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "id": "[variables('analyticRuleObject4')._analyticRulecontentProductId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName5')]", + "name": "[variables('analyticRuleObject5').analyticRuleTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -948,13 +948,13 @@ "description": "WindowsUpdateDisabled_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion5')]", + "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId5')]", + "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1017,102 +1017,102 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "ActingProcessId" + "columnName": "ActingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "ActingProcessCommandLine" + "columnName": "ActingProcessCommandLine", + "identifier": "CommandLine" } - ], - "entityType": "Process" + ] }, { + "entityType": "RegistryKey", "fieldMappings": [ { - "identifier": "Hive", - "columnName": "RegHive" + "columnName": "RegHive", + "identifier": "Hive" }, { - "identifier": "Key", - "columnName": "RegKey" + "columnName": "RegKey", + "identifier": "Key" } - ], - "entityType": "RegistryKey" + ] }, { + "entityType": "RegistryValue", "fieldMappings": [ { - "identifier": "Name", - "columnName": "RegistryValue" + "columnName": "RegistryValue", + "identifier": "Name" }, { - "identifier": "Value", - "columnName": "RegistryValueData" + "columnName": "RegistryValueData", + "identifier": "Value" }, { - "identifier": "ValueType", - "columnName": "RegistryValueType" + "columnName": "RegistryValueType", + "identifier": "ValueType" } - ], - "entityType": "RegistryValue" + ] } ], "eventGroupingSettings": { "aggregationKind": "singleAlert" }, "alertDetailsOverride": { - "alertDescriptionFormat": "Windows Update Disabled from Registry {{RegKey}} on {{HostName}} by {{Username}}", - "alertDisplayNameFormat": "Windows Update Disabled from Registry on {{HostName}}" + "alertDisplayNameFormat": "Windows Update Disabled from Registry on {{HostName}}", + "alertDescriptionFormat": "Windows Update Disabled from Registry {{RegKey}} on {{HostName}} by {{Username}}" } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject5').analyticRuleId5,'/'))))]", "properties": { "description": "Malware Protection Essentials Analytics Rule 5", - "parentId": "[variables('analyticRuleId5')]", - "contentId": "[variables('_analyticRulecontentId5')]", + "parentId": "[variables('analyticRuleObject5').analyticRuleId5]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion5')]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -1137,18 +1137,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId5')]", + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", "contentKind": "AnalyticsRule", "displayName": "Detect Windows Update Disabled from Registry", - "contentProductId": "[variables('_analyticRulecontentProductId5')]", - "id": "[variables('_analyticRulecontentProductId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentProductId": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "id": "[variables('analyticRuleObject5')._analyticRulecontentProductId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('analyticRuleTemplateSpecName6')]", + "name": "[variables('analyticRuleObject6').analyticRuleTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1157,13 +1157,13 @@ "description": "WindowsAllowFirewallRuleAdded_AnalyticalRules Analytics Rule with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('analyticRuleVersion6')]", + "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", - "name": "[variables('analyticRulecontentId6')]", + "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "apiVersion": "2022-04-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", @@ -1226,102 +1226,102 @@ ], "entityMappings": [ { + "entityType": "Host", "fieldMappings": [ { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Host" + ] }, { + "entityType": "Account", "fieldMappings": [ { - "identifier": "Name", - "columnName": "Username" + "columnName": "Username", + "identifier": "Name" }, { - "identifier": "UPNSuffix", - "columnName": "UPNSuffix" + "columnName": "UPNSuffix", + "identifier": "UPNSuffix" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } - ], - "entityType": "Account" + ] }, { + "entityType": "Process", "fieldMappings": [ { - "identifier": "ProcessId", - "columnName": "ActingProcessId" + "columnName": "ActingProcessId", + "identifier": "ProcessId" }, { - "identifier": "CommandLine", - "columnName": "ActingProcessCommandLine" + "columnName": "ActingProcessCommandLine", + "identifier": "CommandLine" } - ], - "entityType": "Process" + ] }, { + "entityType": "RegistryKey", "fieldMappings": [ { - "identifier": "Hive", - "columnName": "RegHive" + "columnName": "RegHive", + "identifier": "Hive" }, { - "identifier": "Key", - "columnName": "RegKey" + "columnName": "RegKey", + "identifier": "Key" } - ], - "entityType": "RegistryKey" + ] }, { + "entityType": "RegistryValue", "fieldMappings": [ { - "identifier": "Name", - "columnName": "RegistryValue" + "columnName": "RegistryValue", + "identifier": "Name" }, { - "identifier": "Value", - "columnName": "RegistryValueData" + "columnName": "RegistryValueData", + "identifier": "Value" }, { - "identifier": "ValueType", - "columnName": "RegistryValueType" + "columnName": "RegistryValueType", + "identifier": "ValueType" } - ], - "entityType": "RegistryValue" + ] } ], "eventGroupingSettings": { "aggregationKind": "singleAlert" }, "alertDetailsOverride": { - "alertDescriptionFormat": "An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}}.", - "alertDisplayNameFormat": "Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}" + "alertDisplayNameFormat": "Allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}} on {{HostName}}", + "alertDescriptionFormat": "An allow Firewall Rule {{RegistryValueData}} added at registry key {{RegKey}}." } } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject6').analyticRuleId6,'/'))))]", "properties": { "description": "Malware Protection Essentials Analytics Rule 6", - "parentId": "[variables('analyticRuleId6')]", - "contentId": "[variables('_analyticRulecontentId6')]", + "parentId": "[variables('analyticRuleObject6').analyticRuleId6]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "kind": "AnalyticsRule", - "version": "[variables('analyticRuleVersion6')]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -1346,18 +1346,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_analyticRulecontentId6')]", + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", "contentKind": "AnalyticsRule", "displayName": "Detect Windows Allow Firewall Rule Addition/Modification", - "contentProductId": "[variables('_analyticRulecontentProductId6')]", - "id": "[variables('_analyticRulecontentProductId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentProductId": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "id": "[variables('analyticRuleObject6')._analyticRulecontentProductId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName1')]", + "name": "[variables('huntingQueryObject1').huntingQueryTemplateSpecName1]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1366,7 +1366,7 @@ "description": "NewMaliciousScheduledTask_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion1')]", + "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", "parameters": {}, "variables": {}, "resources": [ @@ -1400,13 +1400,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1),'/'))))]", "properties": { "description": "Malware Protection Essentials Hunting Query 1", - "parentId": "[variables('huntingQueryId1')]", - "contentId": "[variables('_huntingQuerycontentId1')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject1')._huntingQuerycontentId1)]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion1')]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -1431,18 +1431,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId1')]", + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", "contentKind": "HuntingQuery", "displayName": "Detect New Scheduled Task Creation that Run Executables From Non-Standard Location", - "contentProductId": "[variables('_huntingQuerycontentProductId1')]", - "id": "[variables('_huntingQuerycontentProductId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject1')._huntingQuerycontentId1,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName2')]", + "name": "[variables('huntingQueryObject2').huntingQueryTemplateSpecName2]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1451,7 +1451,7 @@ "description": "FileCretaedInStartupFolder_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion2')]", + "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", "parameters": {}, "variables": {}, "resources": [ @@ -1485,13 +1485,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2),'/'))))]", "properties": { "description": "Malware Protection Essentials Hunting Query 2", - "parentId": "[variables('huntingQueryId2')]", - "contentId": "[variables('_huntingQuerycontentId2')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject2')._huntingQuerycontentId2)]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion2')]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -1516,18 +1516,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId2')]", + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", "contentKind": "HuntingQuery", "displayName": "Detect File Creation in Startup Folder", - "contentProductId": "[variables('_huntingQuerycontentProductId2')]", - "id": "[variables('_huntingQuerycontentProductId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject2')._huntingQuerycontentId2,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName3')]", + "name": "[variables('huntingQueryObject3').huntingQueryTemplateSpecName3]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1536,7 +1536,7 @@ "description": "FilesWithRansomwareExtensions_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion3')]", + "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", "parameters": {}, "variables": {}, "resources": [ @@ -1570,13 +1570,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3),'/'))))]", "properties": { "description": "Malware Protection Essentials Hunting Query 3", - "parentId": "[variables('huntingQueryId3')]", - "contentId": "[variables('_huntingQuerycontentId3')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject3')._huntingQuerycontentId3)]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion3')]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -1601,18 +1601,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId3')]", + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", "contentKind": "HuntingQuery", "displayName": "Detect Files with Ramsomware Extensions", - "contentProductId": "[variables('_huntingQuerycontentProductId3')]", - "id": "[variables('_huntingQuerycontentProductId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject3')._huntingQuerycontentId3,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName4')]", + "name": "[variables('huntingQueryObject4').huntingQueryTemplateSpecName4]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1621,7 +1621,7 @@ "description": "NewScheduledTaskCreation_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion4')]", + "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", "parameters": {}, "variables": {}, "resources": [ @@ -1655,13 +1655,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4),'/'))))]", "properties": { "description": "Malware Protection Essentials Hunting Query 4", - "parentId": "[variables('huntingQueryId4')]", - "contentId": "[variables('_huntingQuerycontentId4')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject4')._huntingQuerycontentId4)]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion4')]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -1686,18 +1686,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId4')]", + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", "contentKind": "HuntingQuery", "displayName": "Detect New Scheduled Task Entry Creations", - "contentProductId": "[variables('_huntingQuerycontentProductId4')]", - "id": "[variables('_huntingQuerycontentProductId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject4')._huntingQuerycontentId4,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName5')]", + "name": "[variables('huntingQueryObject5').huntingQueryTemplateSpecName5]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1706,7 +1706,7 @@ "description": "SystemFilesModifiedByUser_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion5')]", + "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", "parameters": {}, "variables": {}, "resources": [ @@ -1740,13 +1740,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5),'/'))))]", "properties": { "description": "Malware Protection Essentials Hunting Query 5", - "parentId": "[variables('huntingQueryId5')]", - "contentId": "[variables('_huntingQuerycontentId5')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject5')._huntingQuerycontentId5)]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion5')]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -1771,18 +1771,18 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId5')]", + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", "contentKind": "HuntingQuery", "displayName": "Detect Modification to System Files or Directories by User Accounts", - "contentProductId": "[variables('_huntingQuerycontentProductId5')]", - "id": "[variables('_huntingQuerycontentProductId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject5')._huntingQuerycontentId5,'-', '1.0.0')))]", + "version": "1.0.0" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('huntingQueryTemplateSpecName6')]", + "name": "[variables('huntingQueryObject6').huntingQueryTemplateSpecName6]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" @@ -1791,7 +1791,7 @@ "description": "ExecutableInUncommonLocation_HuntingQueries Hunting Query with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('huntingQueryVersion6')]", + "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", "parameters": {}, "variables": {}, "resources": [ @@ -1825,13 +1825,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6),'/'))))]", "properties": { "description": "Malware Protection Essentials Hunting Query 6", - "parentId": "[variables('huntingQueryId6')]", - "contentId": "[variables('_huntingQuerycontentId6')]", + "parentId": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('huntingQueryObject6')._huntingQuerycontentId6)]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "kind": "HuntingQuery", - "version": "[variables('huntingQueryVersion6')]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]", "source": { "kind": "Solution", "name": "Malware Protection Essentials", @@ -1856,12 +1856,12 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_huntingQuerycontentId6')]", + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", "contentKind": "HuntingQuery", "displayName": "Executable Files Created in Uncommon Locations", - "contentProductId": "[variables('_huntingQuerycontentProductId6')]", - "id": "[variables('_huntingQuerycontentProductId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentProductId": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "id": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('huntingQueryObject6')._huntingQuerycontentId6,'-', '1.0.0')))]", + "version": "1.0.0" } }, { @@ -1891,7 +1891,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MalwareProtectionEssentialsWorkbookWorkbook Workbook with template version 3.0.0", + "description": "MalwareProtectionEssentialsWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -1994,63 +1994,63 @@ "criteria": [ { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId1')]", - "version": "[variables('analyticRuleVersion1')]" + "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", + "version": "[variables('analyticRuleObject1').analyticRuleVersion1]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId2')]", - "version": "[variables('analyticRuleVersion2')]" + "contentId": "[variables('analyticRuleObject2')._analyticRulecontentId2]", + "version": "[variables('analyticRuleObject2').analyticRuleVersion2]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId3')]", - "version": "[variables('analyticRuleVersion3')]" + "contentId": "[variables('analyticRuleObject3')._analyticRulecontentId3]", + "version": "[variables('analyticRuleObject3').analyticRuleVersion3]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId4')]", - "version": "[variables('analyticRuleVersion4')]" + "contentId": "[variables('analyticRuleObject4')._analyticRulecontentId4]", + "version": "[variables('analyticRuleObject4').analyticRuleVersion4]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId5')]", - "version": "[variables('analyticRuleVersion5')]" + "contentId": "[variables('analyticRuleObject5')._analyticRulecontentId5]", + "version": "[variables('analyticRuleObject5').analyticRuleVersion5]" }, { "kind": "AnalyticsRule", - "contentId": "[variables('analyticRulecontentId6')]", - "version": "[variables('analyticRuleVersion6')]" + "contentId": "[variables('analyticRuleObject6')._analyticRulecontentId6]", + "version": "[variables('analyticRuleObject6').analyticRuleVersion6]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" + "contentId": "[variables('huntingQueryObject1')._huntingQuerycontentId1]", + "version": "[variables('huntingQueryObject1').huntingQueryVersion1]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" + "contentId": "[variables('huntingQueryObject2')._huntingQuerycontentId2]", + "version": "[variables('huntingQueryObject2').huntingQueryVersion2]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" + "contentId": "[variables('huntingQueryObject3')._huntingQuerycontentId3]", + "version": "[variables('huntingQueryObject3').huntingQueryVersion3]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" + "contentId": "[variables('huntingQueryObject4')._huntingQuerycontentId4]", + "version": "[variables('huntingQueryObject4').huntingQueryVersion4]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" + "contentId": "[variables('huntingQueryObject5')._huntingQuerycontentId5]", + "version": "[variables('huntingQueryObject5').huntingQueryVersion5]" }, { "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" + "contentId": "[variables('huntingQueryObject6')._huntingQuerycontentId6]", + "version": "[variables('huntingQueryObject6').huntingQueryVersion6]" }, { "kind": "Watchlist", diff --git a/Solutions/Malware Protection Essentials/Package/testParameters.json b/Solutions/Malware Protection Essentials/Package/testParameters.json new file mode 100644 index 00000000000..afcdadfbea3 --- /dev/null +++ b/Solutions/Malware Protection Essentials/Package/testParameters.json @@ -0,0 +1,40 @@ +{ + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "watchlist1-id": { + "type": "string", + "defaultValue": "RansomwareFileExtensions", + "minLength": 1, + "metadata": { + "description": "Unique id for the watchlist" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": null, + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } +} From a5d4047c897946ad5d77fb98bfe64c5003f4d338 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Fri, 22 Dec 2023 15:15:12 +0530 Subject: [PATCH 5/6] Update createUiDefinition.json --- .../Package/createUiDefinition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Malware Protection Essentials/Package/createUiDefinition.json b/Solutions/Malware Protection Essentials/Package/createUiDefinition.json index 561dbb2f22c..bc7dac4f170 100644 --- a/Solutions/Malware Protection Essentials/Package/createUiDefinition.json +++ b/Solutions/Malware Protection Essentials/Package/createUiDefinition.json @@ -80,13 +80,13 @@ { "name": "workbook1", "type": "Microsoft.Common.Section", - "label": null, + "label": "Malware Protection Essentials", "elements": [ { "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": null + "text": "Malware Protection Essentials" } } ] From fa698d0ad5ec93f7369e8f1de6235d591fd3d3b0 Mon Sep 17 00:00:00 2001 From: rahul0216 Date: Fri, 29 Dec 2023 09:57:44 +0530 Subject: [PATCH 6/6] Update Analytic rules, Hunting Queries and Workbook after validation --- ... to Team and immediately uploads file.yaml | 5 ++- .../MailItemsAccessedTimeSeries.yaml | 8 ++--- .../Mail_redirect_via_ExO_transport_rule.yaml | 4 +-- .../Analytic Rules/Malicious_Inbox_Rule.yaml | 7 ++-- .../Analytic Rules/MultipleTeamsDeletes.yaml | 4 +-- .../Analytic Rules/Office_MailForwarding.yaml | 6 ++-- .../Office_Uploaded_Executables.yaml | 12 +++---- .../Analytic Rules/RareOfficeOperations.yaml | 4 +-- .../exchange_auditlogdisabled.yaml | 14 +++++--- .../office_policytampering.yaml | 8 ++--- ...repoint_file_transfer_above_threshold.yaml | 6 ++-- ...file_transfer_folders_above_threshold.yaml | 6 ++-- ...omolousUserAccessingOtherUsersMailbox.yaml | 21 +++++++----- ...alUserAddedRemovedInTeams_HuntVersion.yaml | 17 ++++++---- .../ExternalUserFromNewOrgAddedToTeams.yaml | 13 +++++--- ...direct_via_ExO_transport_rule_hunting.yaml | 17 ++++++---- .../Hunting Queries/MultiTeamBot.yaml | 18 +++++++--- .../Hunting Queries/MultiTeamOwner.yaml | 13 +++++--- .../Hunting Queries/MultipleTeamsDeletes.yaml | 14 ++++++-- ...eUsersEmailForwardedToSameDestination.yaml | 17 ++++++---- .../Hunting Queries/NewBotAddedToTeams.yaml | 15 +++++---- ...ReservedFileNamesOnOfficeFileServices.yaml | 33 ++++++++++++------- .../OfficeMailForwarding_hunting.yaml | 28 +++++++++++----- .../Hunting Queries/TeamsFilesUploaded.yaml | 18 ++++++---- .../UserAddToTeamsAndUploadsFile.yaml | 13 ++++---- ...ReservedFileNamesOnOfficeFileServices.yaml | 32 +++++++++++------- .../Hunting Queries/double_file_ext_exes.yaml | 17 ++++++---- .../new_adminaccountactivity.yaml | 19 ++++++++--- .../new_sharepoint_downloads_by_IP.yaml | 9 +++-- ...new_sharepoint_downloads_by_UserAgent.yaml | 29 +++++++++++----- .../nonowner_MailboxLogin.yaml | 17 ++++++---- ...powershell_or_nonbrowser_MailboxLogin.yaml | 24 +++++++++----- .../Hunting Queries/sharepoint_downloads.yaml | 9 +++-- .../Workbooks/SharePointAndOneDrive.json | 10 +++--- 34 files changed, 302 insertions(+), 185 deletions(-) diff --git a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml index bd8a7e48458..c566fa9457a 100644 --- a/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/External User added to Team and immediately uploads file.yaml @@ -10,6 +10,9 @@ requiredDataConnectors: - connectorId: Office365 dataTypes: - OfficeActivity (Teams) + - connectorId: Office365 + dataTypes: + - OfficeActivity (SharePoint) queryFrequency: 1h queryPeriod: 1h triggerOperator: gt @@ -63,5 +66,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.1 +version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/MailItemsAccessedTimeSeries.yaml b/Solutions/Microsoft 365/Analytic Rules/MailItemsAccessedTimeSeries.yaml index d37087edfd9..0e8b82a185d 100644 --- a/Solutions/Microsoft 365/Analytic Rules/MailItemsAccessedTimeSeries.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/MailItemsAccessedTimeSeries.yaml @@ -11,7 +11,7 @@ status: Available requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (Exchange) queryFrequency: 1d queryPeriod: 14d triggerOperator: gt @@ -45,12 +45,12 @@ query: | // during the anomalyhour to analysts to conduct investigation or informed decisions. TimeSeriesAlerts | where TimeGenerated > ago(2d) // Join against base logs since specified timeframe to retrive records associated with the hour of anomoly - | join ( + | join kind=innerunique ( OfficeActivity | where TimeGenerated > ago(2d) | extend DateHour = bin(TimeGenerated, 1h) | where OfficeWorkload=~ "Exchange" and Operation =~ "MailItemsAccessed" and ResultStatus =~ "Succeeded" - | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) + | summarize HourlyCount=count(), TimeGeneratedMax = arg_max(TimeGenerated, *), IPAdressList = make_set(Client_IPAddress, 1000), SourceIPMax= arg_max(Client_IPAddress, *), ClientInfoStringList= make_set(ClientInfoString, 1000) by MailboxOwnerUPN, Logon_Type, TenantId, UserType, TimeGenerated = bin(TimeGenerated, 1h) | where HourlyCount > 25 // Only considering operations with more than 25 hourly count to reduce False Positivies | order by HourlyCount desc ) on TimeGenerated @@ -70,5 +70,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP1 -version: 2.0.2 +version: 2.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml b/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml index 9175f31e4e1..a9ce19f8f8e 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Mail_redirect_via_ExO_transport_rule.yaml @@ -8,7 +8,7 @@ status: Available requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (Exchange) queryFrequency: 1d queryPeriod: 1d triggerOperator: gt @@ -45,5 +45,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IPAddress -version: 2.0.1 +version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml b/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml index bb5f47a7855..929c7b69545 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Malicious_Inbox_Rule.yaml @@ -9,7 +9,7 @@ status: Available requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (Exchange) queryFrequency: 1d queryPeriod: 1d triggerOperator: gt @@ -23,7 +23,8 @@ relevantTechniques: query: | let Keywords = dynamic(["helpdesk", " alert", " suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]); OfficeActivity - | where Operation =~ "New-InboxRule" + | where OfficeWorkload =~ "Exchange" + | where Operation =~ "New-InboxRule" and (ResultStatus =~ "True" or ResultStatus =~ "Succeeded") | where Parameters has "Deleted Items" or Parameters has "Junk Email" or Parameters has "DeleteMessage" | extend Events=todynamic(Parameters) | parse Events with * "SubjectContainsWords" SubjectContainsWords '}'* @@ -52,5 +53,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIPAddress -version: 2.0.2 +version: 2.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml b/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml index 5c46a555c5a..1bc0cdf566d 100644 --- a/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/MultipleTeamsDeletes.yaml @@ -25,7 +25,7 @@ query: | OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "TeamDeleted" - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName) by UserId + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DeletedTeams = make_set(TeamName, 1000) by UserId | where array_length(DeletedTeams) > max_delete_count | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) entityMappings: @@ -35,5 +35,5 @@ entityMappings: columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix -version: 2.0.2 +version: 2.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml b/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml index 1a2df77a30a..5c388c08383 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Office_MailForwarding.yaml @@ -8,7 +8,7 @@ status: Available requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (Exchange) queryFrequency: 1d queryPeriod: 7d triggerOperator: gt @@ -27,7 +27,7 @@ query: | | where OfficeWorkload =~ "Exchange" //| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule") | where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress") - | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))) + | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value))) | evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source') | extend DestinationMailAddress = tolower(case( isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""), @@ -53,5 +53,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.1 +version: 2.0.2 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml b/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml index 760b742bbc9..1f25bc8ab3e 100644 --- a/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/Office_Uploaded_Executables.yaml @@ -10,7 +10,7 @@ status: Available requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (SharePoint) queryFrequency: 1d queryPeriod: 8d triggerOperator: gt @@ -39,18 +39,18 @@ query: | OfficeActivity | where TimeGenerated between (ago(starttime) .. ago(endtime)) | where Operation =~ uploadOp | where SourceFileExtension has_any (execExt) - | summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId) , PrevSeenCount = count() by SourceFileName + | summarize SourceRelativeUrl = make_set(SourceRelativeUrl, 100000), UserId = make_set(UserId, 100000) , PrevSeenCount = count() by SourceFileName // To exclude previous matches when only above a specific count, change threshold above and uncomment the line below //| where PrevSeenCount > threshold | mvexpand SourceRelativeUrl, UserId | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId) ) on SourceFileName, SourceRelativeUrl, UserId | extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2]) - | extend UserIdUserFolderFormat = tolower(replace('@|\\.', '_',UserId)) + | extend UserIdUserFolderFormat = tolower(replace_regex(UserId, '@|\\.', '_') // identify when UserId is not a match to the specific site url personal folder reference | extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) - | summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), - UserAgents = make_list(UserAgent), OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName) + | summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), + UserAgents = make_list(UserAgent, 100000), OfficeIds = make_list(OfficeId, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000) by OfficeWorkload, RecordType, Operation, UserType, UserKey, UserId, ClientIP, Site_Url, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) entityMappings: @@ -72,5 +72,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: FileNames -version: 2.0.3 +version: 2.0.4 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml index 877c4162197..54d5f473aa5 100644 --- a/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/RareOfficeOperations.yaml @@ -21,7 +21,7 @@ relevantTechniques: query: | OfficeActivity | where Operation in~ ( "Add-MailboxPermission", "Add-MailboxFolderPermission", "Set-Mailbox", "New-ManagementRoleAssignment", "New-InboxRule", "Set-InboxRule", "Set-TransportRule") - and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox")) + and not(UserId has_any ('NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)', 'NT AUTHORITY\\SYSTEM (Microsoft.Exchange.AdminApi.NetCore)', 'NT AUTHORITY\\SYSTEM (w3wp)', 'devilfish-applicationaccount') and Operation in~ ( "Add-MailboxPermission", "Set-Mailbox")) | extend ClientIPOnly = tostring(extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?', dynamic(["IPAddress"]), ClientIP)[0][0]) | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) entityMappings: @@ -39,5 +39,5 @@ entityMappings: fieldMappings: - identifier: AppId columnName: AppId -version: 2.0.2 +version: 2.0.3 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml b/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml index 3efcfd6deed..dc37b2b7ff4 100644 --- a/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/exchange_auditlogdisabled.yaml @@ -1,5 +1,5 @@ id: 194dd92e-d6e7-4249-85a5-273350a7f5ce -name: Exchange AuditLog disabled +name: Exchange AuditLog Disabled description: | 'Identifies when the exchange audit logging has been disabled which may be an adversary attempt to evade detection or avoid other defenses.' @@ -8,7 +8,7 @@ status: Available requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (Exchange) queryFrequency: 1d queryPeriod: 1d triggerOperator: gt @@ -19,13 +19,17 @@ relevantTechniques: - T1562 query: | OfficeActivity + | where OfficeWorkload =~ "Exchange" | where UserType in~ ("Admin","DcAdmin") // Only admin or global-admin can disable audit logging | where Operation =~ "Set-AdminAuditLogConfig" | extend AdminAuditLogEnabledValue = tostring(parse_json(tostring(parse_json(tostring(array_slice(parse_json(Parameters),3,3)))[0])).Value) | where AdminAuditLogEnabledValue =~ "False" | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count() by Operation, UserType, UserId, ClientIP, ResultStatus, Parameters, AdminAuditLogEnabledValue - | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), UserId) + | extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '') + | extend AccountName = iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), AccountName) + | extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '') entityMappings: - entityType: Account fieldMappings: @@ -33,9 +37,11 @@ entityMappings: columnName: AccountName - identifier: UPNSuffix columnName: AccountUPNSuffix + - identifier: NTDomain + columnName: AccountNTDomain - entityType: IP fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.2 +version: 2.0.3 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml b/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml index 0381bc14d55..f8fae368290 100644 --- a/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/office_policytampering.yaml @@ -1,5 +1,5 @@ id: fbd72eb8-087e-466b-bd54-1ca6ea08c6d3 -name: Office policy tampering +name: Office Policy Tampering description: | 'Identifies if any tampering is done to either auditlog, ATP Safelink, SafeAttachment, AntiPhish or Dlp policy. An adversary may use this technique to evade detection or avoid other policy based defenses. @@ -9,7 +9,7 @@ status: Available requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (Exchange) queryFrequency: 1d queryPeriod: 1d triggerOperator: gt @@ -26,7 +26,7 @@ query: | //| where Operation startswith "Remove-" or Operation startswith "Disable-" | where Operation has_any ("Remove", "Disable") | where Operation contains "AntiPhish" or Operation contains "SafeAttachment" or Operation contains "SafeLinks" or Operation contains "Dlp" or Operation contains "Audit" - | summarize make_set(Operation); + | summarize make_set(Operation, 500); OfficeActivity // Only admin or global-admin can disable/remove policy | where RecordType =~ "ExchangeAdmin" @@ -56,5 +56,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: ClientIP -version: 2.0.1 +version: 2.0.2 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml index 5a8813f6085..171baf281b8 100644 --- a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_above_threshold.yaml @@ -9,7 +9,7 @@ severity: Medium requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (SharePoint) queryFrequency: 15m queryPeriod: 15m triggerOperator: gt @@ -22,7 +22,7 @@ query: | let threshold = 5000; OfficeActivity | where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded") - | summarize count_distinct_OfficeObjectId=dcount(OfficeObjectId), fileslist=make_set(OfficeObjectId) by UserId,ClientIP,bin(TimeGenerated, 15m) + | summarize count_distinct_OfficeObjectId=dcount(OfficeObjectId), fileslist=make_set(OfficeObjectId, 10000) by UserId,ClientIP,bin(TimeGenerated, 15m) | where count_distinct_OfficeObjectId >= threshold | extend FileSample = iff(array_length(fileslist) == 1, tostring(fileslist[0]), strcat("SeeFilesListField","_", tostring(hash(tostring(fileslist))))) | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) @@ -55,5 +55,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml index 973d8d8a925..4da564dd33f 100644 --- a/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml +++ b/Solutions/Microsoft 365/Analytic Rules/sharepoint_file_transfer_folders_above_threshold.yaml @@ -9,7 +9,7 @@ severity: Medium requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (SharePoint) queryFrequency: 15m queryPeriod: 15m triggerOperator: gt @@ -22,7 +22,7 @@ query: | let threshold = 500; OfficeActivity | where EventSource == "SharePoint" and OfficeWorkload has_any("SharePoint", "OneDrive") and Operation has_any ("FileDownloaded", "FileSyncDownloadedFull", "FileSyncUploadedFull", "FileUploaded") - | summarize count_distinct_SourceRelativeUrl=dcount(SourceRelativeUrl), dirlist=make_set(SourceRelativeUrl) by UserId,ClientIP,UserAgent,bin(TimeGenerated, 15m) + | summarize count_distinct_SourceRelativeUrl=dcount(SourceRelativeUrl), dirlist=make_set(SourceRelativeUrl, 10000) by UserId,ClientIP,UserAgent,bin(TimeGenerated, 15m) | where count_distinct_SourceRelativeUrl >= threshold | extend DirSample = iff(array_length(dirlist) == 1, tostring(dirlist[0]), strcat("SeeDirListField","_", tostring(hash(tostring(dirlist))))) | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) @@ -55,5 +55,5 @@ incidentConfiguration: - Account groupByAlertDetails: [] groupByCustomDetails: [] -version: 1.0.1 +version: 1.0.2 kind: Scheduled diff --git a/Solutions/Microsoft 365/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml b/Solutions/Microsoft 365/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml index 729fcac6032..7b056e24d13 100644 --- a/Solutions/Microsoft 365/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/AnomolousUserAccessingOtherUsersMailbox.yaml @@ -1,11 +1,11 @@ id: 271e8881-3044-4332-a5f4-42264c2e0315 -name: Anomalous access to other user's mailboxes +name: Anomalous access to other users' mailboxes description: | - 'Looks for users accessing multiple other user's mailboxes or accessing multiple folders in another users mailbox' + 'Looks for users accessing multiple other users' mailboxes or accessing multiple folders in another users mailbox.' requiredDataConnectors: - connectorId: Office365 dataTypes: - - OfficeActivity + - OfficeActivity (Exchange) tactics: - Collection relevantTechniques: @@ -14,7 +14,6 @@ tags: - Solorigate - NOBELIUM query: | - let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let lookback = totimespan((endtime-starttime)*2); @@ -38,17 +37,21 @@ query: | | mv-expand parse_json(Folders) | extend folders = tostring(Folders.Path) | extend ClientIP = iif(Client_IPAddress startswith "[", extract("\\[([^\\]]*)", 1, Client_IPAddress), Client_IPAddress) - | summarize StartTime=max(TimeGenerated), EndTime=min(TimeGenerated), make_set(folders), make_set(ClientInfoString), make_set(ClientIP), make_set(MailboxGuid), make_set(MailboxOwnerUPN) by UserId + | summarize StartTime=max(TimeGenerated), EndTime=min(TimeGenerated), make_set(folders, 100000), make_set(ClientInfoString, 100000), make_set(ClientIP, 100000), make_set(MailboxGuid, 100000), make_set(MailboxOwnerUPN, 100000) by UserId | extend folder_count = array_length(set_folders) | extend user_count = array_length(set_MailboxGuid) | where user_count > user_threshold or folder_count > folder_threshold | extend Reason = case(user_count > user_threshold and folder_count > folder_threshold, "Both User and Folder Threshold Exceeded", folder_count > folder_threshold and user_count < user_threshold, "Folder Count Threshold Exceeded","User Threshold Exceeded") | sort by user_count desc | project-reorder UserId, user_count, folder_count, set_MailboxOwnerUPN, set_ClientIP, set_ClientInfoString, set_folders - | extend timestamp = StartTime, AccountCustomEntity = UserId + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml b/Solutions/Microsoft 365/Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml index b34562f4c8d..21847f85ae2 100644 --- a/Solutions/Microsoft 365/Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml @@ -1,5 +1,5 @@ id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c -name: External user added and removed in a short timeframe - Hunt Version +name: External user added and removed in a short timeframe description: | 'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.' requiredDataConnectors: @@ -11,7 +11,6 @@ tactics: relevantTechniques: - T1136 query: | - // If you want to look at user added further than 7 days ago adjust this value // If you want to change the timeframe of how quickly accounts need to be added and removed change this value let time_delta = 1h; @@ -21,7 +20,7 @@ query: | | extend UPN = tostring(parse_json(Members)[0].UPN) | where UPN contains ("#EXT#") | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName, TeamGuid - | join ( + | join kind=innerunique ( OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "MemberRemoved" @@ -30,10 +29,14 @@ query: | | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName, TeamGuid) on UPN, TeamGuid | where TimeDeleted < (TimeAdded + time_delta) | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName, TeamGuid - | extend timestamp = TimeAdded, AccountCustomEntity = UPN + | extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/ExternalUserFromNewOrgAddedToTeams.yaml b/Solutions/Microsoft 365/Hunting Queries/ExternalUserFromNewOrgAddedToTeams.yaml index ad11b81de22..1903b2782fa 100644 --- a/Solutions/Microsoft 365/Hunting Queries/ExternalUserFromNewOrgAddedToTeams.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/ExternalUserFromNewOrgAddedToTeams.yaml @@ -11,7 +11,6 @@ tactics: relevantTechniques: - T1136 query: | - let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let lookback = totimespan((endtime-starttime)*7); @@ -33,10 +32,14 @@ query: | | extend Organization = tostring(split(split(UPN, "_")[1], "#")[0]) | where isnotempty(Organization) | where Organization !in (known_orgs) - | extend timestamp = TimeGenerated, AccountCustomEntity = UPN + | extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml b/Solutions/Microsoft 365/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml index d131826f8cb..181892f2153 100644 --- a/Solutions/Microsoft 365/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/Mail_redirect_via_ExO_transport_rule_hunting.yaml @@ -14,7 +14,6 @@ relevantTechniques: - T1114 - T1020 query: | - OfficeActivity | where OfficeWorkload == "Exchange" | where Operation in~ ("New-TransportRule", "Set-TransportRule") @@ -28,15 +27,19 @@ query: | | extend RedirectTo = ExpandedParameters.Value | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P\d+))?', dynamic(["IPAddress", "Port"]), ClientIP)[0] | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, Operation, RuleName, Parameters - | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = IPAddress - + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix + | extend IP_0_Address = IPAddress entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 2.0.0 + columnName: IPAddress +version: 2.0.1 diff --git a/Solutions/Microsoft 365/Hunting Queries/MultiTeamBot.yaml b/Solutions/Microsoft 365/Hunting Queries/MultiTeamBot.yaml index 44ee3152d5c..e17e13920dd 100644 --- a/Solutions/Microsoft 365/Hunting Queries/MultiTeamBot.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/MultiTeamBot.yaml @@ -13,18 +13,26 @@ relevantTechniques: - T1176 - T1119 query: | - // Adjust these thresholds to suit your environment. let threshold = 2; let time_threshold = timespan(5m); OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "BotAddedToTeam" - | summarize Start=max(TimeGenerated), End=min(TimeGenerated), Teams = makeset(TeamName) + | summarize Start=max(TimeGenerated), End=min(TimeGenerated), Teams = make_set(TeamName, 10000) by UserId | extend CountOfTeams = array_length(Teams) | extend TimeDelta = End - Start | where CountOfTeams > threshold | where TimeDelta >= time_threshold - | project Start, End, Teams, CountOfTeams - | extend timestamp = Start -version: 2.0.0 \ No newline at end of file + | project Start, End, Teams, CountOfTeams, UserId + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/MultiTeamOwner.yaml b/Solutions/Microsoft 365/Hunting Queries/MultiTeamOwner.yaml index c1ac35095cf..0db112dfa66 100644 --- a/Solutions/Microsoft 365/Hunting Queries/MultiTeamOwner.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/MultiTeamOwner.yaml @@ -11,7 +11,6 @@ tactics: relevantTechniques: - T1078 query: | - // Adjust this value to change how many teams a user is made owner of before detecting let max_owner_count = 3; // Change this value to adjust how larger timeframe the query is run over. @@ -31,10 +30,14 @@ query: | | extend NewRole = toint(parse_json(Members)[0].Role) | where NewRole == 2 | where Member in (high_owner_count) - | extend timestamp = TimeGenerated, AccountCustomEntity = Member + | extend AccountName = tostring(split(Member, "@")[0]), AccountUPNSuffix = tostring(split(Member, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/MultipleTeamsDeletes.yaml b/Solutions/Microsoft 365/Hunting Queries/MultipleTeamsDeletes.yaml index 804aea30469..9fbb88a5558 100644 --- a/Solutions/Microsoft 365/Hunting Queries/MultipleTeamsDeletes.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/MultipleTeamsDeletes.yaml @@ -12,7 +12,6 @@ relevantTechniques: - T1485 - T1489 query: | - // Adjust this value to change how many Teams should be deleted before including let max_delete = 3; let deleting_users = ( @@ -26,5 +25,14 @@ query: | | where OfficeWorkload =~ "MicrosoftTeams" | where Operation =~ "TeamDeleted" | where UserId in (deleting_users) - | extend timestamp = TimeGenerated, AccountCustomEntity = UserId -version: 2.0.0 + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix +entityMappings: + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 diff --git a/Solutions/Microsoft 365/Hunting Queries/MultipleUsersEmailForwardedToSameDestination.yaml b/Solutions/Microsoft 365/Hunting Queries/MultipleUsersEmailForwardedToSameDestination.yaml index b3309426217..1e9706cd8a0 100644 --- a/Solutions/Microsoft 365/Hunting Queries/MultipleUsersEmailForwardedToSameDestination.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/MultipleUsersEmailForwardedToSameDestination.yaml @@ -27,7 +27,7 @@ query: | | where OfficeWorkload =~ "Exchange" //| where Operation in ("Set-Mailbox", "New-InboxRule", "Set-InboxRule") | where Parameters has_any ("ForwardTo", "RedirectTo", "ForwardingSmtpAddress") - | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))) + | mv-apply DynamicParameters = todynamic(Parameters) on (summarize ParsedParameters = make_bag(bag_pack(tostring(DynamicParameters.Name), DynamicParameters.Value))) | evaluate bag_unpack(ParsedParameters, columnsConflict='replace_source') | extend DestinationMailAddress = tolower(case( isnotempty(column_ifexists("ForwardTo", "")), column_ifexists("ForwardTo", ""), @@ -41,15 +41,20 @@ query: | | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DistinctUserCount = dcount(UserId), UserId = make_set(UserId, 250), Ports = make_set(Port, 250), EventCount = count() by tostring(DestinationMailAddress), ClientIP | where DistinctUserCount > 1 and EndTime > ago(queryfrequency) | mv-expand UserId to typeof(string) - | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix + | extend IP_0_Address = ClientIP entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 2.0.0 + columnName: ClientIP +version: 2.0.1 kind: Scheduled diff --git a/Solutions/Microsoft 365/Hunting Queries/NewBotAddedToTeams.yaml b/Solutions/Microsoft 365/Hunting Queries/NewBotAddedToTeams.yaml index 4145f9ef6f7..3e50af5311a 100644 --- a/Solutions/Microsoft 365/Hunting Queries/NewBotAddedToTeams.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/NewBotAddedToTeams.yaml @@ -12,8 +12,7 @@ tactics: relevantTechniques: - T1176 - T1119 -query: | - +query: | let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let lookback = starttime - 14d; @@ -28,10 +27,14 @@ query: | | where OfficeWorkload =~ "MicrosoftTeams" // Look for add-ins we have never seen before | where AddonName in (historical_bots) - | extend timestamp = TimeGenerated, AccountCustomEntity = UserId + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 diff --git a/Solutions/Microsoft 365/Hunting Queries/New_WindowsReservedFileNamesOnOfficeFileServices.yaml b/Solutions/Microsoft 365/Hunting Queries/New_WindowsReservedFileNamesOnOfficeFileServices.yaml index 7fef5bbcdeb..0a17b4c35be 100644 --- a/Solutions/Microsoft 365/Hunting Queries/New_WindowsReservedFileNamesOnOfficeFileServices.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/New_WindowsReservedFileNamesOnOfficeFileServices.yaml @@ -18,7 +18,6 @@ tactics: relevantTechniques: - T1105 query: | - let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let lookback = totimespan((endtime-starttime)*7); @@ -38,28 +37,38 @@ query: | | where SourceFileName !~ SourceFileExtension | where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved) | where UserAgent !has "Mac OS" - | summarize SourceRelativeUrl = make_set(SourceRelativeUrl), UserId = make_set(UserId), SourceFileName = make_set(SourceFileName) , PrevSeenCount = count() by SourceFileExtension + | summarize SourceRelativeUrl = make_set(SourceRelativeUrl, 100000), UserId = make_set(UserId, 100000), SourceFileName = make_set(SourceFileName, 100000) , PrevSeenCount = count() by SourceFileExtension // To exclude previous matches when only above a specific count, change threshold above and uncomment the line below //| where PrevSeenCount > threshold | mvexpand SourceRelativeUrl, UserId, SourceFileName | extend SourceRelativeUrl = tostring(SourceRelativeUrl), UserId = tostring(UserId), SourceFileName = tostring(SourceFileName) ) on SourceFileExtension | extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2]) - | extend UserIdUserFolderFormat = tolower(replace('@|\\.', '_',UserId)) + | extend UserIdUserFolderFormat = tolower(replace_regex(UserId, '@|\\.', '_')) // identify when UserId is not a match to the specific site url personal folder reference | extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) - | summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation), UserAgents = make_list(UserAgent), - OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName) + | summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation, 100000), UserAgents = make_list(UserAgent, 100000), + OfficeIds = make_list(OfficeId, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000) by OfficeWorkload, RecordType, UserType, UserKey, UserId, ClientIP, Site_Url, SourceFileExtension, SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder // Use mvexpand on any list items and you can expand out the exact time and other metadata about the hit - | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend IP_0_Address = ClientIP + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix + | extend URL_0_Url = Site_Url entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 2.0.0 \ No newline at end of file + columnName: ClientIP + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Site_Url +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/OfficeMailForwarding_hunting.yaml b/Solutions/Microsoft 365/Hunting Queries/OfficeMailForwarding_hunting.yaml index 9b1c3b340d1..32b093c27b2 100644 --- a/Solutions/Microsoft 365/Hunting Queries/OfficeMailForwarding_hunting.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/OfficeMailForwarding_hunting.yaml @@ -17,8 +17,8 @@ relevantTechniques: - T1114 - T1020 query: | - OfficeActivity + | where OfficeWorkload == "Exchange" | where (Operation =~ "Set-Mailbox" and Parameters contains 'ForwardingSmtpAddress') or (Operation in~ ('New-InboxRule','Set-InboxRule') and (Parameters contains 'ForwardTo' or Parameters contains 'RedirectTo')) | extend parsed=parse_json(Parameters) @@ -37,18 +37,30 @@ query: | ClientIP ) | project TimeGenerated, UserId, UserDomain, subDomain, Operation, ForwardedtoDomain, ClientIPAddress, Result, Port, OriginatingServer, OfficeObjectId, fwdingDestination - | extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIPAddress, HostCustomEntity = OriginatingServer + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend Host = tostring(split(OriginatingServer, " (")[0]) + | extend HostName = tostring(split(Host, ".")[0]) + | extend DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.')) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix + | extend IP_0_Address = ClientIPAddress + | extend Host_0_HostName = HostName + | extend Host_0_DnsDomain = DnsDomain entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity + columnName: ClientIPAddress - entityType: Host fieldMappings: - - identifier: FullName - columnName: HostCustomEntity -version: 2.0.0 + - identifier: HostName + columnName: HostName + - identifier: DnsDomain + columnName: DnsDomain +version: 2.0.1 diff --git a/Solutions/Microsoft 365/Hunting Queries/TeamsFilesUploaded.yaml b/Solutions/Microsoft 365/Hunting Queries/TeamsFilesUploaded.yaml index aaa0fece582..1561b08ec27 100644 --- a/Solutions/Microsoft 365/Hunting Queries/TeamsFilesUploaded.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/TeamsFilesUploaded.yaml @@ -16,7 +16,6 @@ relevantTechniques: - T1102 - T1078 query: | - OfficeActivity | where RecordType =~ "SharePointFileOperation" | where Operation =~ "FileUploaded" @@ -29,13 +28,18 @@ query: | | where UserId != "app@sharepoint" | where SourceRelativeUrl has "Microsoft Teams Chat Files" ) on OfficeObjectId - | extend userBag = pack(UserId1, ClientIP1) - | summarize makeset(UserId1), make_bag(userBag) by TimeGenerated, UserId, OfficeObjectId, SourceFileName + | extend userBag = bag_pack(UserId1, ClientIP1) + | summarize make_set(UserId1, 10000), make_bag(userBag, 10000) by TimeGenerated, UserId, OfficeObjectId, SourceFileName | extend NumberUsers = array_length(bag_keys(bag_userBag)) - | project timestamp=TimeGenerated, AccountCustomEntity=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, NumberOfUsersAccessed=NumberUsers + | project timestamp=TimeGenerated, UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, NumberOfUsersAccessed=NumberUsers + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/UserAddToTeamsAndUploadsFile.yaml b/Solutions/Microsoft 365/Hunting Queries/UserAddToTeamsAndUploadsFile.yaml index bfac50396f4..1f7b1308c70 100644 --- a/Solutions/Microsoft 365/Hunting Queries/UserAddToTeamsAndUploadsFile.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/UserAddToTeamsAndUploadsFile.yaml @@ -1,7 +1,7 @@ id: 3d6d0c04-7337-40cf-ace6-c471d442356d -name: User added to Team and immediately uploads file +name: User added to Teams and immediately uploads file description: | - 'This hunting queries identifies users who are added to a Team or Teams chat + 'This hunting queries identifies users who are added to a Teams Channel or Teams chat and within 1 minute of being added upload a file via the chat. This might be an indicator of suspicious activity.' requiredDataConnectors: @@ -13,7 +13,6 @@ tactics: relevantTechniques: - T1566 query: | - let threshold = 1m; OfficeActivity | where OfficeWorkload =~ "MicrosoftTeams" @@ -33,6 +32,8 @@ query: | entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/WindowsReservedFileNamesOnOfficeFileServices.yaml b/Solutions/Microsoft 365/Hunting Queries/WindowsReservedFileNamesOnOfficeFileServices.yaml index e3b9c367a91..47a30a991b6 100644 --- a/Solutions/Microsoft 365/Hunting Queries/WindowsReservedFileNamesOnOfficeFileServices.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/WindowsReservedFileNamesOnOfficeFileServices.yaml @@ -6,7 +6,7 @@ description-detailed: | 'Identifies when Windows Reserved Filenames show up on Office services such as SharePoint and OneDrive. List currently includes 'CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9' file extensions. - Additionally, identifies when a given user is uploading these files to another users workspace. + Additionally, identifies when a given user is uploading these files to another user's workspace. This may be indication of a staging location for malware or other malicious activity. References: https://docs.microsoft.com/windows/win32/fileio/naming-a-file' requiredDataConnectors: @@ -18,7 +18,6 @@ tactics: relevantTechniques: - T1105 query: | - // Reserved FileNames/Extension for Windows let Reserved = dynamic(['CON', 'PRN', 'AUX', 'NUL', 'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9', 'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9']); OfficeActivity @@ -26,21 +25,30 @@ query: | | where SourceFileExtension in~ (Reserved) or SourceFileName in~ (Reserved) | where UserAgent !has "Mac OS" | extend SiteUrlUserFolder = tolower(split(Site_Url, '/')[-2]) - | extend UserIdUserFolderFormat = tolower(replace('@|\\.', '_',UserId)) + | extend UserIdUserFolderFormat = tolower(replace_regex(UserId, '@|\\.', '_')) // identify when UserId is not a match to the specific site url personal folder reference | extend UserIdDiffThanUserFolder = iff(Site_Url has '/personal/' and SiteUrlUserFolder != UserIdUserFolderFormat, true , false ) - | summarize TimeGenerated = make_list(TimeGenerated), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation), UserAgents = make_list(UserAgent), - OfficeIds = make_list(OfficeId), SourceRelativeUrls = make_list(SourceRelativeUrl), FileNames = make_list(SourceFileName) + | summarize TimeGenerated = make_list(TimeGenerated, 100000), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Operations = make_list(Operation, 100000), UserAgents = make_list(UserAgent, 100000), OfficeIds = make_list(OfficeId, 100000), SourceRelativeUrls = make_list(SourceRelativeUrl, 100000), FileNames = make_list(SourceFileName, 100000) by OfficeWorkload, RecordType, UserType, UserKey, UserId, ClientIP, Site_Url, SourceFileExtension,SiteUrlUserFolder, UserIdUserFolderFormat, UserIdDiffThanUserFolder // Use mvexpand on any list items and you can expand out the exact time and other metadata about the hit - | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend IP_0_Address = ClientIP + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix + | extend URL_0_Url = Site_Url entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 2.0.0 + columnName: ClientIP + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Site_Url +version: 2.0.1 diff --git a/Solutions/Microsoft 365/Hunting Queries/double_file_ext_exes.yaml b/Solutions/Microsoft 365/Hunting Queries/double_file_ext_exes.yaml index 96d36682b43..cf2d3784700 100644 --- a/Solutions/Microsoft 365/Hunting Queries/double_file_ext_exes.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/double_file_ext_exes.yaml @@ -12,7 +12,6 @@ tactics: relevantTechniques: - T1036 query: | - let known_ext = dynamic(["lnk","log","option","config", "manifest", "partial"]); let excluded_users = dynamic(["app@sharepoint"]); OfficeActivity @@ -25,14 +24,18 @@ query: | | where SourceFileExtension !in~ (known_ext) ) on OfficeObjectId | where UserId1 !in~ (excluded_users) - | extend userBag = pack(UserId1, ClientIP1) - | summarize makeset(UserId1), make_bag(userBag), Start=max(TimeGenerated), End=min(TimeGenerated) by UserId, OfficeObjectId, SourceFileName, Extension + | extend userBag = bag_pack(UserId1, ClientIP1) + | summarize make_set(UserId1, 10000), make_bag(userBag), Start=max(TimeGenerated), End=min(TimeGenerated) by UserId, OfficeObjectId, SourceFileName, Extension | extend NumberOfUsers = array_length(bag_keys(bag_userBag)) | project UploadTime=Start, Uploader=UserId, FileLocation=OfficeObjectId, FileName=SourceFileName, AccessedBy=bag_userBag, Extension, NumberOfUsers - | extend timestamp = UploadTime, AccountCustomEntity = Uploader + | extend UploaderName = tostring(split(Uploader, "@")[0]), UploaderUPNSuffix = tostring(split(Uploader, "@")[1]) + | extend Account_0_Name = UploaderName + | extend Account_0_UPNSuffix = UploaderUPNSuffix entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: UploaderName + - identifier: UPNSuffix + columnName: UploaderUPNSuffix +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/new_adminaccountactivity.yaml b/Solutions/Microsoft 365/Hunting Queries/new_adminaccountactivity.yaml index 065111504c6..ef2ecb2753c 100644 --- a/Solutions/Microsoft 365/Hunting Queries/new_adminaccountactivity.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/new_adminaccountactivity.yaml @@ -15,7 +15,6 @@ relevantTechniques: - T1078 - T1114 query: | - let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let lookback = starttime - 14d; @@ -39,10 +38,20 @@ query: | | where RecordType == "ExchangeAdmin" | where UserType in ("Admin","DcAdmin")) on UserId | summarize StartTime = max(TimeGenerated), EndTime = min(TimeGenerated), count() by RecordType, Operation, UserType, UserId, OriginatingServer, ResultStatus - | extend timestamp = StartTime, AccountCustomEntity = UserId + | extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), UserId) + | extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '') + | extend AccountName = iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), AccountName) + | extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '') + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix + | extend Account_0_NTDomain = AccountNTDomain entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix + - identifier: NTDomain + columnName: AccountNTDomain +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/new_sharepoint_downloads_by_IP.yaml b/Solutions/Microsoft 365/Hunting Queries/new_sharepoint_downloads_by_IP.yaml index ffa908240db..ac553e691b5 100644 --- a/Solutions/Microsoft 365/Hunting Queries/new_sharepoint_downloads_by_IP.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/new_sharepoint_downloads_by_IP.yaml @@ -3,7 +3,7 @@ name: SharePointFileOperation via previously unseen IPs description: | 'Shows SharePoint upload/download volume by IPs with high-risk ASNs. New IPs with volume spikes may be unauthorized and exfiltrating documents.' description-detailed: | - 'Shows volume of documents uploaded to or downloaded from Sharepoint by IPs with ASNs associated with high user lockout or malicious activity. + 'Shows volume of documents uploaded to or downloaded from SharePoint by IPs with ASNs associated with high user lockout or malicious activity. In stable environments such connections by new IPs may be unauthorized, especially if associated with spikes in volume which could be associated with large-scale document exfiltration.' requiredDataConnectors: @@ -18,7 +18,6 @@ tactics: relevantTechniques: - T1030 query: | - let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let lookback = starttime - 14d; @@ -44,10 +43,10 @@ query: | | where Operation in ("FileDownloaded", "FileUploaded") | where ClientIP in (ASNIPs) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities = count() by ClientIP - | extend timestamp = StartTime, IPCustomEntity = ClientIP + | extend IP_0_Address = ClientIP entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 2.0.0 \ No newline at end of file + columnName: ClientIP +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/new_sharepoint_downloads_by_UserAgent.yaml b/Solutions/Microsoft 365/Hunting Queries/new_sharepoint_downloads_by_UserAgent.yaml index 1a4eb21aac2..bebfcd71db0 100644 --- a/Solutions/Microsoft 365/Hunting Queries/new_sharepoint_downloads_by_UserAgent.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/new_sharepoint_downloads_by_UserAgent.yaml @@ -15,7 +15,6 @@ tactics: relevantTechniques: - T1030 query: | - let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let lookback = starttime - 14d; @@ -34,13 +33,27 @@ query: | | where TimeGenerated between (starttime .. endtime) | where RecordType == "SharePointFileOperation" | where Operation in ("FileDownloaded", "FileUploaded") - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities=count() by UserAgent - | join (HistoricalActivity) on UserAgent + | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), RecentFileActivities=count() by UserAgent, UserId, ClientIP, Site_Url + | join kind=innerunique (HistoricalActivity) on UserAgent | project-away UserAgent1 - | extend timestamp = StartTime, UserAgentCustomEntity = UserAgent + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend IP_0_Address = ClientIP + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix + | extend URL_0_Url = Site_Url entityMappings: - - entityType: CloudLogonSession + - entityType: IP fieldMappings: - - identifier: UserAgent - columnName: UserAgent -version: 2.0.0 \ No newline at end of file + - identifier: Address + columnName: ClientIP + - entityType: Account + fieldMappings: + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix + - entityType: URL + fieldMappings: + - identifier: Url + columnName: Site_Url +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/nonowner_MailboxLogin.yaml b/Solutions/Microsoft 365/Hunting Queries/nonowner_MailboxLogin.yaml index 79fd0eef786..53da9b04bc4 100644 --- a/Solutions/Microsoft 365/Hunting Queries/nonowner_MailboxLogin.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/nonowner_MailboxLogin.yaml @@ -22,18 +22,23 @@ tags: - Solorigate - NOBELIUM query: | - OfficeActivity + | where OfficeWorkload == "Exchange" | where Operation == "MailboxLogin" and Logon_Type != "Owner" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Operation, OrganizationName, UserType, UserId, MailboxOwnerUPN, Logon_Type, ClientIP - | extend timestamp = StartTime, AccountCustomEntity = UserId, IPCustomEntity = ClientIP + | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1]) + | extend IP_0_Address = ClientIP + | extend Account_0_Name = AccountName + | extend Account_0_UPNSuffix = AccountUPNSuffix entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 2.0.0 \ No newline at end of file + columnName: ClientIP +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/powershell_or_nonbrowser_MailboxLogin.yaml b/Solutions/Microsoft 365/Hunting Queries/powershell_or_nonbrowser_MailboxLogin.yaml index 7fa4770e59b..1657a6d9480 100644 --- a/Solutions/Microsoft 365/Hunting Queries/powershell_or_nonbrowser_MailboxLogin.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/powershell_or_nonbrowser_MailboxLogin.yaml @@ -1,12 +1,12 @@ id: 49a4f65a-fe18-408e-afec-042fde93d3ce -name: Powershell or non-browser mailbox login activity +name: PowerShell or non-browser mailbox login activity description: | 'Detects mailbox login from Exchange PowerShell. All accounts can use it by default, but admins can change it. Whitelist benign activities.' description-detailed: | - 'This will help you determine if mailbox login was done from Exchange Powershell session. + 'This will help you determine if mailbox login was done from Exchange PowerShell session. By default, all accounts you create in Office 365 are allowed to use Exchange Online PowerShell. Administrators can use Exchange Online PowerShell to enable or disable a user's ability to connect to Exchange Online PowerShell. - Whitelist any benign scheduled activities using exchange powershell if applicable in your environment. + Whitelist any benign scheduled activities using exchange PowerShell if applicable in your environment. References: https://docs.microsoft.com/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps' requiredDataConnectors: - connectorId: Office365 @@ -21,15 +21,21 @@ relevantTechniques: - T1098 - T1114 query: | - OfficeActivity - | where Operation == "MailboxLogin" + | where OfficeWorkload == "Exchange" and Operation == "MailboxLogin" | where ClientInfoString == "Client=Microsoft.Exchange.Powershell; Microsoft WinRM Client" | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by Operation, OrganizationName, UserType, UserId, MailboxOwnerUPN, Logon_Type, ClientInfoString - | extend timestamp = StartTime, AccountCustomEntity = UserId + | extend AccountName = iff(UserId contains '@', tostring(split(UserId, '@')[0]), UserId) + | extend AccountUPNSuffix = iff(UserId contains '@', tostring(split(UserId, '@')[1]), '') + | extend AccountName = iff(UserId contains '\\', tostring(split(UserId, '\\')[1]), AccountName) + | extend AccountNTDomain = iff(UserId contains '\\', tostring(split(UserId, '\\')[0]), '') entityMappings: - entityType: Account fieldMappings: - - identifier: FullName - columnName: AccountCustomEntity -version: 2.0.0 \ No newline at end of file + - identifier: Name + columnName: AccountName + - identifier: UPNSuffix + columnName: AccountUPNSuffix + - identifier: NTDomain + columnName: AccountNTDomain +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Hunting Queries/sharepoint_downloads.yaml b/Solutions/Microsoft 365/Hunting Queries/sharepoint_downloads.yaml index 5d91168ccb0..6cbe0c46bf5 100644 --- a/Solutions/Microsoft 365/Hunting Queries/sharepoint_downloads.yaml +++ b/Solutions/Microsoft 365/Hunting Queries/sharepoint_downloads.yaml @@ -1,7 +1,7 @@ id: e8ae1375-4640-430c-ae8e-2514d09c71eb name: SharePointFileOperation via clientIP with previously unseen user agents description: | - 'New user agents associated with a clientIP for sharepoint file uploads/downloads.' + 'New user agents associated with a clientIP for SharePoint file uploads/downloads.' requiredDataConnectors: - connectorId: Office365 dataTypes: @@ -11,7 +11,6 @@ tactics: relevantTechniques: - T1030 query: | - let starttime = todatetime('{{StartTimeISO}}'); let endtime = todatetime('{{EndTimeISO}}'); let lookback = starttime - 14d; @@ -31,10 +30,10 @@ query: | ) on ClientIP, UserAgent // Some OfficeActivity records do not contain ClientIP information - exclude these for fewer results | where not(isempty(ClientIP)) - | extend timestamp = StartTime, IPCustomEntity = ClientIP + | extend IP_0_Address = ClientIP entityMappings: - entityType: IP fieldMappings: - identifier: Address - columnName: IPCustomEntity -version: 2.0.0 \ No newline at end of file + columnName: ClientIP +version: 2.0.1 \ No newline at end of file diff --git a/Solutions/Microsoft 365/Workbooks/SharePointAndOneDrive.json b/Solutions/Microsoft 365/Workbooks/SharePointAndOneDrive.json index 9abf879e89c..818b3b36e3c 100644 --- a/Solutions/Microsoft 365/Workbooks/SharePointAndOneDrive.json +++ b/Solutions/Microsoft 365/Workbooks/SharePointAndOneDrive.json @@ -190,7 +190,7 @@ { "type": 1, "content": { - "json": "## Operation summary" + "json": "## **Operation Summary**" }, "name": "text - 11" }, @@ -339,7 +339,7 @@ "query": "let details = dynamic({OperationDetail});\r\nOfficeActivity \r\n| where \"{Operations:lable}\"==\"All\" or Operation in ({Operations})\r\n| where \"{Users:lable}\"==\"All\" or UserId in ({Users})\r\n| where OfficeWorkload in ('OneDrive', 'SharePoint') and (\"{SelectedWorkload}\"==\"All\" or OfficeWorkload==\"{SelectedWorkload}\")\r\n| where Site_Url != '' \r\n| where details.Type == '*' or (details.Type == 'Operation' and Operation == details.Name) or (details.Type == 'UserId' and UserId == details.Name)\r\n| summarize Number = count() by Site_Url, UserId, Operation, bin(TimeGenerated, 1d)\r\n| order by Number, TimeGenerated", "size": 1, "exportToExcelOptions": "visible", - "title": "Sites details", + "title": "Site details", "timeContext": { "durationMs": 0 }, @@ -361,7 +361,7 @@ "query": "let details = dynamic({OperationDetail});\r\nOfficeActivity \r\n| where \"{Operations:lable}\"==\"All\" or Operation in ({Operations})\r\n| where \"{Users:lable}\"==\"All\" or UserId in ({Users})\r\n| where OfficeWorkload in ('OneDrive', 'SharePoint') and (\"{SelectedWorkload}\"==\"All\" or OfficeWorkload==\"{SelectedWorkload}\")\r\n| where details.Type == '*' or (details.Type == 'Operation' and Operation == details.Name) or (details.Type == 'UserId' and UserId == details.Name)\r\n| summarize Number = count() by ClientIP , UserId, Operation, bin(TimeGenerated, 1d)\r\n| order by Number, TimeGenerated", "size": 1, "exportToExcelOptions": "visible", - "title": "IP addresses details", + "title": "IP Address details", "timeContext": { "durationMs": 0 }, @@ -379,7 +379,7 @@ { "type": 1, "content": { - "json": "## file operations" + "json": "## **File Operations**" }, "name": "text - 12" }, @@ -392,7 +392,7 @@ "exportParameterName": "FileOperations", "exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}", "exportToExcelOptions": "visible", - "title": "FIle operations", + "title": "File Operations", "timeContext": { "durationMs": 0 },