Merge branch 'master' into pr/10453

noapocalypse · May 9, 2024 · 5ea6c96 · 5ea6c96
2 parents 568c3ea + 4031ddb
commit 5ea6c96
Show file tree

Hide file tree

Showing 12 changed files with 360 additions and 4 deletions.
diff --git a/Hunting Queries/CloudAppEvents/SetPolicyConfigInCloudAppEvents.yaml b/Hunting Queries/CloudAppEvents/SetPolicyConfigInCloudAppEvents.yaml
@@ -0,0 +1,35 @@
+id: fcd4d774-a0c2-4d12-9e9f-f51dfc310873
+name: Policy configuration changes for CloudApp Events
+description: |
+  "This query searches for any action type with high frequency that involves adding, modifying, or removing something in cloud app policies. It sees where the properties are modified such that the old value and new value are different for every property except for minor property changes such as Display Name."
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+tactics:
+  - DomainPolicyModification
+relevantTechniques:
+  - T1484
+query: |
+  CloudAppEvents
+    | where ActionType in ("Update policy.", "Add policy.", "Remove-CrossTenantAccessPolicy", "Add policy to service principal.", "Write PolicyAssignments", "Update authorization policy.", "Delete policy.", "Add owner to policy.", "Write PolicyExemptions", "Remove-LabelPolicy")
+    | mv-expand ActivityObjects
+    | where ActivityObjects.Name != "DisplayName"
+    | where RawEventData["status"] == "Succeeded"
+    | extend AccountMoniker = RawEventData["AccountMoniker"], AccountMonikerLocation = RawEventData["AccountMonikerLocation"], EventName = RawEventData["EventName"], EventNamespace = RawEventData["EventNamespace"], Role = RawEventData["Role"], RoleInstance = RawEventData["RoleInstance"], RoleLocation = RawEventData["RoleLocation"], HttpRequest = RawEventData["httpRequest"]
+    | summarize Count = count() by tostring(AccountMoniker), tostring(AccountMonikerLocation), AccountDisplayName, IPAddress, ActionType, ActivityType, tostring(EventName), tostring(EventNamespace), tostring(Role), tostring(RoleInstance), tostring(RoleLocation), tostring(HttpRequest)
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountDisplayName
+      - identifier: UPNSuffix
+        columnName: EntityUPNSuffix
+      - identifier: FullName
+        columnName: UserId
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPAddress
+version: 1.0.0
+kind: Scheduled
diff --git a/Hunting Queries/MultipleDataSources/SuspiciousActivitiesRelatedToConfidentialDocuments.yaml b/Hunting Queries/MultipleDataSources/SuspiciousActivitiesRelatedToConfidentialDocuments.yaml
@@ -0,0 +1,45 @@
+id: a1adce9c-5945-4a20-984e-d95b6071a791
+name: Integrate Purview with Cloud App Events
+description: |
+  "This query searches for any files in Cloud App Events that have trigger a security alert."
+severity: Medium
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+  - connectorId: MicrosoftCloudAppSecurity
+    dataTypes:
+      - SecurityAlert
+tactics:
+  - Collection
+relevantTechniques:
+  - T1074
+query: |
+  SecurityAlert
+    | where TimeGenerated >= ago(30d)
+    | extend EntitiesDynamicArray = parse_json(Entities) 
+    | mv-expand EntitiesDynamicArray
+    | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name),
+    EntityUPNSuffix = tostring(parse_json(EntitiesDynamicArray).UPNSuffix)
+    | where Entitytype =~ "file" and EntityName != ""
+    | join kind=inner(CloudAppEvents
+    | extend ActivityObjectsDynamicArray = parse_json(ActivityObjects) 
+    | mv-expand ActivityObjectsDynamicArray
+    | extend Entitytype = tostring(parse_json(ActivityObjectsDynamicArray).Type), EntityName = tostring(RawEventData.SourceFileName),
+    EntityUPNSuffix = tostring(parse_json(ActivityObjectsDynamicArray).UPNSuffix)
+    | where Entitytype =~ "file") on $left.EntityName == $right.EntityName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: EntityName
+      - identifier: UPNSuffix
+        columnName: EntityUPNSuffix
+      - identifier: FullName
+        columnName: UserId
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP
+version: 1.0.0
+kind: Scheduled
diff --git a/Solutions/PaloAltoPrismaCloud/Data Connectors/PrismaCloudConn.zip b/Solutions/PaloAltoPrismaCloud/Data Connectors/PrismaCloudConn.zip
diff --git a/Solutions/PaloAltoPrismaCloud/Data Connectors/requirements.txt b/Solutions/PaloAltoPrismaCloud/Data Connectors/requirements.txt
@@ -1,3 +1,3 @@
 azure-functions
-aiohttp==3.9.2
-azure-storage-file-share==12.4.1
+aiohttp==3.9.4
+azure-storage-file-share==12.4.1 
diff --git a/Solutions/Rapid7InsightVM/Data Connectors/InsightVMCloudAPISentinelConn.zip b/Solutions/Rapid7InsightVM/Data Connectors/InsightVMCloudAPISentinelConn.zip
diff --git a/Solutions/Rapid7InsightVM/Data Connectors/requirements.txt b/Solutions/Rapid7InsightVM/Data Connectors/requirements.txt
@@ -2,7 +2,7 @@
 # The Python Worker is managed by Azure Functions platform
 # Manually managing azure-functions-worker may cause unexpected issues
 
-aiohttp==3.9.2
+aiohttp==3.9.4 
 azure-functions==1.6.0
 azure-storage-file-share==12.4.1
 python-dateutil==2.8.2
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CloudAppEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CloudAppEvents.yaml
@@ -0,0 +1,64 @@
+id: b97e118c-b7fa-42a6-84de-2e13443fbb8f
+name: Preview - TI map Domain entity to Cloud App Events
+description: |
+    'Identifies compromises and attacks and detect malicious activities in one's domain entity from TI.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+  - connectorId: MicrosoftDefenderThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+query: |
+  let dt_lookBack = 1h;
+  let ioc_lookBack = 14d; 
+  let list_tlds =
+    ThreatIntelligenceIndicator
+      | where TimeGenerated >= ago(ioc_lookBack)
+      | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+      | where Active == true and ExpirationDateTime > now()
+      | where isnotempty(DomainName)
+      | extend DomainName = tolower(DomainName)
+      | extend parts = split(DomainName, '.')
+      | extend tld = parts[(array_length(parts) - 1)]
+      | summarize count() by tostring(tld)
+      | summarize make_set(tld);
+  let Domain_Indicators =
+    ThreatIntelligenceIndicator
+      | where TimeGenerated >= ago(ioc_lookBack)
+      | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+      | where Active == true and ExpirationDateTime > now()
+      | extend TI_DomainEntity = DomainName;
+    Domain_Indicators
+      | join kind=innerunique (
+    CloudAppEvents
+      | extend IngestionTime = ingestion_time()
+      | where IngestionTime > ago(dt_lookBack)
+      | extend PAUrl = columnifexists("RequestURL", "None")
+      | extend Domain = trim('"', tostring(parseurl(PAUrl).Host))
+      | extend Domain = tolower(Domain)
+      | extend parts = split(Domain, '.')
+      | extend tld = parts[(array_length(parts) - 1)]
+      | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_DomainEntity == $right.Domain
+      | where CloudAppEvents_TimeGenerated < ExpirationDateTime
+      | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId
+      | extend Description = max_CloudAppEvents_TimeGenerated_Description, ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore, DomainName = max_CloudAppEvents_TimeGenerated_DomainName, ProviderName = max_CloudAppEvents_TimeGenerated_IndicatorProvider, AlertSeverity = max_CloudAppEvents_TimeGenerated_ThreatSeverity, IPAddress = max_CloudAppEvents_TimeGenerated_IPAddress
+      | project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, DomainName, ProviderName, AlertSeverity, IPAddress
+entityMappings:
+  - entityType: DNS
+    fieldMappings:
+      - identifier: DomainName
+        columnName: DomainName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPAddress
+version: 1.0.1
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml
@@ -1,7 +1,7 @@
 id: 96307710-8bb9-4b45-8363-a90c72ebf86f
 name: TI map Domain entity to EmailEvents
 description: |
-  'Identifies a match in EmailEvents table from any Domain IOC from TI'
+  Identifies a match in EmailEvents table from any Domain IOC from TI
 severity: Medium
 requiredDataConnectors:
   - connectorId: Office365

diff --git a/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml
@@ -0,0 +1,49 @@
+id: 47b9bb10-d216-4359-8cef-08ca2c67e5be
+name: Preview - TI map Email entity to Cloud App Events
+description: |
+  'Identifies compromises and attacks and detect malicious activities in one's email entity from TI'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+  - connectorId: MicrosoftDefenderThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+query: |
+  let dt_lookBack = 10d;
+  let ioc_lookBack = 30d;
+  let emailregex = @'^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$';
+  ThreatIntelligenceIndicator
+    | where TimeGenerated >= ago(ioc_lookBack)
+    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+    | where Active == true and ExpirationDateTime > now()
+    | where isnotempty(EmailSenderAddress)
+    | join kind=innerunique (CloudAppEvents
+  | extend User_Id = tostring(RawEventData.UserId)
+  | where User_Id != ""
+  | where TimeGenerated >= ago(dt_lookBack) and isnotempty(Application)
+  | extend CloudAppEvents_TimeGenerated = TimeGenerated 
+  | extend User_id = tostring(User_Id)
+  | where User_id matches regex emailregex) on $left.EmailSenderAddress == $right.User_id
+  | where CloudAppEvents_TimeGenerated < ExpirationDateTime
+  | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, User_id
+  | extend Name = tostring(split(User_id, '@', 0)[0]), UPNSuffix = tostring(split(User_id, '@', 1)[0])
+  | extend timestamp = CloudAppEvents_TimeGenerated
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: DisplayName
+        columnName: Name
+      - identifier: FullName
+        columnName: User_Id
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+version: 1.0.1
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CloudAppEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/FileHashEntity_CloudAppEvents.yaml
@@ -0,0 +1,58 @@
+id: 2f6bbf88-f5b0-49a3-b2b5-97fc3664e4d4
+name: Preview - TI map File Hash entity to Cloud App Events
+description: |
+    'Identifies compromises and attacks and detect malicious activities in one's file hash entity from TI'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+  - connectorId: MicrosoftDefenderThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceFileEvents
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+query: |
+    let dt_lookBack = 1h;
+    let ioc_lookBack = 14d;
+    ThreatIntelligenceIndicator
+        | where TimeGenerated >= ago(ioc_lookBack)
+        | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+        | where Active == true and ExpirationDateTime > now()
+        | extend FileHashValue = toupper(FileHashValue)
+        | join kind=innerunique (union isfuzzy=true
+        (CloudAppEvents
+            | join kind=innerunique (union isfuzzy=true(DeviceFileEvents
+            | extend CloudAppEvents_TimeGenerated = TimeGenerated, Event = ReportId, FileHash = toupper(MD5))) on $left.TenantId == $right.TenantId))
+        on $left.FileHashValue == $right.MD5
+    | summarize CloudAppEvents_TimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, FileHash, FileHashType, FileHashValue
+    | extend Description = max_CloudAppEvents_TimeGenerated_Description, ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore, SourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP, SourcePort = max_CloudAppEvents_TimeGenerated_NetworkSourcePort, DestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP, DestinationPort = max_CloudAppEvents_TimeGenerated_NetworkDestinationPort, DeviceName = max_CloudAppEvents_TimeGenerated_DeviceName
+    | project CloudAppEvents_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SourceIP, SourcePort, DestinationIP, DestinationPort, DeviceName, FileHashType, FileHashValue, FileHash
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: DestinationIP
+  - entityType: IP
+    fieldMappings: 
+      - identifier: Address
+        columnName: SourceIP
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: DeviceName
+  - entityType: FileHash
+    fieldMappings:
+      - identifier: Value
+        columnName: FileHashValue
+      - identifier: Algorithm
+        columnName: FileHashType
+version: 1.0.1
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/IPEntity_CloudAppEvents.yaml
@@ -0,0 +1,69 @@
+id: 4e0a6fc8-697e-4455-be47-831b41ea91ac
+name: Preview - TI map IP entity to Cloud App Events
+description: |
+   'Identifies compromises and attacks and detect malicious activities in one's IP entity from TI'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+  - connectorId: MicrosoftDefenderThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+query: |
+  let dt_lookBack = 1d;
+  let ioc_lookBack = 14d; 
+  let IP_Indicators = ThreatIntelligenceIndicator
+    | where TimeGenerated >= ago(ioc_lookBack)
+    | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+    | where Active == true and ExpirationDateTime > now()
+    | where isnotempty(NetworkIP)
+  or isnotempty(EmailSourceIpAddress)
+  or isnotempty(NetworkDestinationIP)
+  or isnotempty(NetworkSourceIP)
+    | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)
+    | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)
+    | extend TIipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity);
+  IP_Indicators
+    | join kind=innerunique (
+    CloudAppEvents
+      | where TimeGenerated >= ago(dt_lookBack)
+      | extend CloudAppEvents_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.IPAddress
+      | where CloudAppEvents_TimeGenerated < ExpirationDateTime
+      | summarize CloudAppEventsTimeGenerated = argmax(CloudAppEvents_TimeGenerated, *) by IndicatorId, IPAddress
+      | extend
+          Description = max_CloudAppEvents_TimeGenerated_Description,
+          ActivityGroupNames = max_CloudAppEvents_TimeGenerated_ActivityGroupNames,
+          ThreatType = max_CloudAppEvents_TimeGenerated_ThreatType,
+          ExpirationDateTime = max_CloudAppEvents_TimeGenerated_ExpirationDateTime,
+          ConfidenceScore = max_CloudAppEvents_TimeGenerated_ConfidenceScore,
+          TI_ipEntity = max_CloudAppEvents_TimeGenerated_TI_ipEntity,
+          NetworkDestinationIP = max_CloudAppEvents_TimeGenerated_NetworkDestinationIP,
+          NetworkSourceIP = max_CloudAppEvents_TimeGenerated_NetworkSourceIP,
+          EmailSourceIPAddress = max_CloudAppEvents_TimeGenerated_EmailSourceIpAddress
+      | project CloudAppEventsTimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, NetworkDestinationIP, NetworkSourceIP, EmailSourceIPAddress
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: TI_ipEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: NetworkDestinationIP
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: NetworkSourceIP
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: EmailSourceIPAddress
+version: 1.0.1
+kind: Scheduled
diff --git a/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml b/Solutions/Threat Intelligence/Analytic Rules/URLEntity_CloudAppEvents.yaml
@@ -0,0 +1,36 @@
+id: e8ae92dd-1d41-4530-8be8-85c5014c7b47
+name: Preview - TI map URL entity to Cloud App Events
+description: |
+   'Identifies compromises and attacks and detect malicious activities in one's URL entity from TI'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - CloudAppEvents
+  - connectorId: MicrosoftDefenderThreatIntelligence
+    dataTypes:
+      - ThreatIntelligenceIndicator
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+query: |
+  let dt_lookBack = 1h;
+  let ioc_lookBack = 14d;
+  ThreatIntelligenceIndicator
+  | where TimeGenerated >= ago(ioc_lookBack)
+  | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId
+  | where Active == true and ExpirationDateTime > now()
+  | join kind=innerunique (CloudAppEvents
+  | extend Url = extract("(http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\\(\\),]|(?:%[0-9a-fA-F][0-9a-fA-F]))+);", 1, tostring(ActivityObjects))
+  | extend userPrincipalName = tostring(parse_json(tostring(AccountId)).userPrincipalName)
+  | extend TargetResourceDisplayName = tostring(ActivityObjects[0].displayName)
+  | extend CloudApps_TimeGenerated = TimeGenerated) on Url
+  | where CloudApps_TimeGenerated < ExpirationDateTime
+  | summarize CloudApps_TimeGenerated = argmax(CloudApps_TimeGenerated, *) by IndicatorId, Url
+  | extend Description = max_CloudApps_TimeGenerated_Description, ActivityGroupNames = max_CloudApps_TimeGenerated_ActivityGroupNames, ThreatType = max_CloudApps_TimeGenerated_ThreatType, ExpirationDateTime = max_CloudApps_TimeGenerated_ExpirationDateTime, ConfidenceScore = max_CloudApps_TimeGenerated_ConfidenceScore
+  | project CloudApps_TimeGenerated, Description, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore
+version: 1.0.1
+kind: Scheduled