Azure
diff --git a/‎Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml‎
Lines changed: 40 additions & 0 deletions b/‎Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml‎
Lines changed: 40 additions & 0 deletions
diff --git a/‎Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml‎
Lines changed: 47 additions & 0 deletions b/‎Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml‎
Lines changed: 86 additions & 0 deletions b/‎Solutions/Global Secure Access/Analytic Rules/Office 365 - External User added to Team and immediately uploads file.yaml‎
Lines changed: 86 additions & 0 deletions
diff --git a/‎Solutions/Global Secure Access/Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml‎
Lines changed: 71 additions & 0 deletions b/‎Solutions/Global Secure Access/Analytic Rules/Office 365 - ExternalUserAddedRemovedInTeams.yaml‎
Lines changed: 71 additions & 0 deletions
diff --git a/‎Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml‎
Lines changed: 55 additions & 0 deletions b/‎Solutions/Global Secure Access/Analytic Rules/Office 365 - Mail_redirect_via_ExO_transport_rule.yaml‎
Lines changed: 55 additions & 0 deletions
diff --git a/‎Solutions/Global Secure Access/Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml‎
Lines changed: 56 additions & 0 deletions b/‎Solutions/Global Secure Access/Analytic Rules/Office 365 - Malicious_Inbox_Rule.yaml‎
Lines changed: 56 additions & 0 deletions
@@ -0,0 +1,40 @@
+id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
+name: Detect Connections Outside Operational Hours
+description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - EnrichedMicrosoft365AuditLogs
+queryFrequency: 1h
+queryPeriod: 24h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+  - T1133
+query: |
+  let starttime = todatetime('{{StartTimeISO}}');
+  let endtime = todatetime('{{EndTimeISO}}');
+  let operational_start_hour = 8; // Start of operational hours (8 AM)
+  let operational_end_hour = 18; // End of operational hours (6 PM)
+  NetworkAccessTraffic
+  | where TimeGenerated between(starttime .. endtime)
+  | extend HourOfDay = datetime_part('hour', TimeGenerated)
+  | where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour
+  | project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId
+  | extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,47 @@
+id: 57abf863-1c1e-46c6-85b2-35370b712c1e
+name: Detect IP Address Changes and Overlapping Sessions
+description: |
+  This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - EnrichedMicrosoft365AuditLogs
+queryFrequency: 1h
+queryPeriod: 24h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+  - T1133
+query: |
+  // Identify sessions
+  let sessions = 
+    NetworkAccessTraffic
+    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), SourceIps = make_set(SourceIp) by DeviceId, UserPrincipalName, SessionId
+    | sort by StartTime asc;
+  // Check for changed IP addresses and overlapping session times
+  sessions
+    | extend PreviousSourceIps = prev(SourceIps, 1)
+    | extend PreviousEndTime = prev(EndTime, 1)
+    | extend PreviousDeviceId = prev(DeviceId, 1)
+    | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)
+    | where DeviceId == PreviousDeviceId and UserPrincipalName == PreviousUserPrincipalName
+    | where set_difference(SourceIps, PreviousSourceIps) != dynamic([]) // Check if the current and previous IP sets differ
+    | where PreviousEndTime > StartTime // Check for overlapping session times
+    | project DeviceId, UserPrincipalName, SourceIps, PreviousSourceIps, StartTime, EndTime, PreviousEndTime
+    | extend IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), AccountCustomEntity = UserPrincipalName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,86 @@
+id: 4d38f80f-6b7d-4a1f-aeaf-e38df637e6ac
+name: Accessed files shared by temporary external user
+description: |
+  'This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.'
+severity: Low
+status: Available 
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - EnrichedMicrosoft365AuditLogs
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+    let fileAccessThreshold = 10;
+    EnrichedMicrosoft365AuditLogs
+    | where Workload =~ "MicrosoftTeams"
+    | where Operation =~ "MemberAdded"
+    | extend MemberAdded = tostring(parse_json(tostring(AdditionalProperties)).Members[0].UPN)
+    | where MemberAdded contains "#EXT#"
+    | project TimeAdded = TimeGenerated, Operation, MemberAdded, UserWhoAdded = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
+    | join kind=inner (
+        EnrichedMicrosoft365AuditLogs
+        | where Workload =~ "MicrosoftTeams"
+        | where Operation =~ "MemberRemoved"
+        | extend MemberAdded = tostring(parse_json(tostring(AdditionalProperties)).Members[0].UPN)
+        | where MemberAdded contains "#EXT#"
+        | project TimeDeleted = TimeGenerated, Operation, MemberAdded, UserWhoDeleted = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
+    ) on MemberAdded, TeamName
+    | where TimeDeleted > TimeAdded
+    | join kind=inner (
+        EnrichedMicrosoft365AuditLogs
+        | where RecordType == "SharePointFileOperation"
+        | where Operation == "FileUploaded"
+        | extend MemberAdded = UserId, SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl), TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
+        | where SourceRelativeUrl has "Microsoft Teams Chat Files"
+        | join kind=inner (
+            EnrichedMicrosoft365AuditLogs
+            | where RecordType == "SharePointFileOperation"
+            | where Operation == "FileAccessed"
+            | extend SourceRelativeUrl = tostring(parse_json(tostring(AdditionalProperties)).SourceRelativeUrl), TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName)
+            | where SourceRelativeUrl has "Microsoft Teams Chat Files"
+            | summarize FileAccessCount = count() by ObjectId, TeamName
+            | where FileAccessCount > fileAccessThreshold
+        ) on ObjectId, TeamName
+    ) on MemberAdded, TeamName
+    | project-away MemberAdded1, MemberAdded2, ObjectId1, Operation1, Operation2
+    | extend MemberAddedAccountName = tostring(split(MemberAdded, "@")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded, "@")[1])
+    | extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, "@")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1])
+    | extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, "@")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, "@")[1])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: MemberAdded
+      - identifier: Name
+        columnName: MemberAddedAccountName
+      - identifier: UPNSuffix
+        columnName: MemberAddedAccountUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserWhoAdded
+      - identifier: Name
+        columnName: UserWhoAddedAccountName
+      - identifier: UPNSuffix
+        columnName: UserWhoAddedAccountUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserWhoDeleted
+      - identifier: Name
+        columnName: UserWhoDeletedAccountName
+      - identifier: UPNSuffix
+        columnName: UserWhoDeletedAccountUPNSuffix
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIP
+version: 2.1.1
+kind: Scheduled
@@ -0,0 +1,71 @@
+id: 1a8f1297-23a4-4f09-a20b-90af8fc3641a
+name: External User Added and Removed in Short Timeframe
+description: |
+  This detection flags the occurrences of external user accounts that are added to a Team and then removed within one hour.
+severity: Low
+status: Available 
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - EnrichedMicrosoft365AuditLogs
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1136
+query: |
+    let TeamsAddDel = (Op:string){
+    EnrichedMicrosoft365AuditLogs
+      | where Workload =~ "MicrosoftTeams"
+      | where Operation == Op
+      | where tostring(AdditionalProperties.Members) has ("#EXT#")
+      | mv-expand Members = parse_json(tostring(AdditionalProperties.Members))
+      | extend UPN = tostring(Members.UPN)
+      | where UPN has ("#EXT#")
+      | project TimeGenerated, Operation, UPN, UserId, TeamName = tostring(AdditionalProperties.TeamName), ClientIP = SourceIp
+    };
+    let TeamsAdd = TeamsAddDel("MemberAdded")
+    | project TimeAdded = TimeGenerated, Operation, MemberAdded = UPN, UserWhoAdded = UserId, TeamName, ClientIP;
+    let TeamsDel = TeamsAddDel("MemberRemoved")
+    | project TimeDeleted = TimeGenerated, Operation, MemberRemoved = UPN, UserWhoDeleted = UserId, TeamName, ClientIP;
+    TeamsAdd
+    | join kind = inner (TeamsDel) on $left.MemberAdded == $right.MemberRemoved
+    | where TimeDeleted > TimeAdded
+    | project TimeAdded, TimeDeleted, MemberAdded_Removed = MemberAdded, UserWhoAdded, UserWhoDeleted, TeamName
+    | extend MemberAdded_RemovedAccountName = tostring(split(MemberAdded_Removed, "@")[0]), MemberAddedAccountUPNSuffix = tostring(split(MemberAdded_Removed, "@")[1])
+    | extend UserWhoAddedAccountName = tostring(split(UserWhoAdded, "@")[0]), UserWhoAddedAccountUPNSuffix = tostring(split(UserWhoAdded, "@")[1])
+    | extend UserWhoDeletedAccountName = tostring(split(UserWhoDeleted, "@")[0]), UserWhoDeletedAccountUPNSuffix = tostring(split(UserWhoDeleted, "@")[1])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: MemberAdded_Removed
+      - identifier: Name
+        columnName: MemberAdded_RemovedAccountName
+      - identifier: UPNSuffix
+        columnName: MemberAddedAccountUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserWhoAdded
+      - identifier: Name
+        columnName: UserWhoAddedAccountName
+      - identifier: UPNSuffix
+        columnName: UserWhoAddedAccountUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserWhoDeleted
+      - identifier: Name
+        columnName: UserWhoDeletedAccountName
+      - identifier: UPNSuffix
+        columnName: UserWhoDeletedAccountUPNSuffix
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIp
+version: 2.1.2
+kind: Scheduled
@@ -0,0 +1,55 @@
+id: edcfc2e0-3134-434c-8074-9101c530d419
+name: Mail redirect via ExO transport rule
+description: |
+  'Identifies when Exchange Online transport rule configured to forward emails.
+  This could be an adversary mailbox configured to collect mail from multiple user accounts.'
+severity: Medium
+status: Available 
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - EnrichedMicrosoft365AuditLogs
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Collection
+  - Exfiltration
+relevantTechniques:
+  - T1114
+  - T1020
+query: |
+    EnrichedMicrosoft365AuditLogs
+    | where Workload == "Exchange"
+    | where Operation in~ ("New-TransportRule", "Set-TransportRule")
+    | mv-apply DynamicParameters = todynamic(tostring(AdditionalProperties.Parameters)) on (
+        summarize ParsedParameters = make_bag(pack(tostring(DynamicParameters.Name), DynamicParameters.Value))
+      )
+    | extend RuleName = case(
+        Operation =~ "Set-TransportRule", ObjectId,  // Assuming ObjectId maps to what was previously OfficeObjectId
+        Operation =~ "New-TransportRule", ParsedParameters.Name,
+        "Unknown"
+      )
+    | mv-expand ExpandedParameters = todynamic(tostring(AdditionalProperties.Parameters))
+    | where ExpandedParameters.Name in~ ("BlindCopyTo", "RedirectMessageTo") and isnotempty(ExpandedParameters.Value)
+    | extend RedirectTo = ExpandedParameters.Value
+    | extend ClientIPValues = extract_all(@'\[?(::ffff:)?(?P<IPAddress>(\d+\.\d+\.\d+\.\d+)|[^\]]+)\]?([-:](?P<Port>\d+))?', dynamic(["IPAddress", "Port"]), ClientIp)[0]
+    | extend From = ParsedParameters.From
+    | project TimeGenerated, RedirectTo, IPAddress = tostring(ClientIPValues[0]), Port = tostring(ClientIPValues[1]), UserId, From, Operation, RuleName, Parameters = tostring(AdditionalProperties.Parameters)
+    | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserId
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPAddress
+version: 2.0.4
+kind: Scheduled
@@ -0,0 +1,56 @@
+id: a9c76c8d-f60d-49ec-9b1f-bdfee6db3807
+name: Malicious Inbox Rule
+description: |
+  'Often times after the initial compromise the attackers create inbox rules to delete emails that contain certain keywords.
+   This is done so as to limit ability to warn compromised users that they've been compromised. Below is a sample query that tries to detect this.
+  Reference: https://www.reddit.com/r/sysadmin/comments/7kyp0a/recent_phishing_attempts_my_experience_and_what/'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - EnrichedMicrosoft365AuditLogs
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+  - DefenseEvasion
+relevantTechniques:
+  - T1098
+  - T1078
+query: |
+    let Keywords = dynamic(["helpdesk", "alert", "suspicious", "fake", "malicious", "phishing", "spam", "do not click", "do not open", "hijacked", "Fatal"]);
+    EnrichedMicrosoft365AuditLogs
+    | where Workload =~ "Exchange"
+    | where Operation =~ "New-InboxRule" and (ResultStatus =~ "True" or ResultStatus =~ "Succeeded")
+    | where tostring(parse_json(tostring(AdditionalProperties)).Parameters) has "Deleted Items" or tostring(parse_json(tostring(AdditionalProperties)).Parameters) has "Junk Email" or tostring(parse_json(tostring(AdditionalProperties)).Parameters) has "DeleteMessage"
+    | extend Events = parse_json(tostring(AdditionalProperties)).Parameters
+    | extend SubjectContainsWords = tostring(Events.SubjectContainsWords), BodyContainsWords = tostring(Events.BodyContainsWords), SubjectOrBodyContainsWords = tostring(Events.SubjectOrBodyContainsWords)
+    | where SubjectContainsWords has_any (Keywords) or BodyContainsWords has_any (Keywords) or SubjectOrBodyContainsWords has_any (Keywords)
+    | extend ClientIPAddress = case(ClientIp has ".", tostring(split(ClientIp, ":")[0]), ClientIp has "[", tostring(trim_start(@'[[]',tostring(split(ClientIp, "]")[0]))), ClientIp)
+    | extend Keyword = iff(isnotempty(SubjectContainsWords), SubjectContainsWords, (iff(isnotempty(BodyContainsWords), BodyContainsWords, SubjectOrBodyContainsWords)))
+    | extend RuleDetail = case(ObjectId contains '/', tostring(split(ObjectId, '/')[-1]), tostring(split(ObjectId, '\\')[-1]))
+    | summarize count(), StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Operation, UserId, ClientIPAddress, ResultStatus, Keyword, ObjectId, RuleDetail
+    | extend AccountName = tostring(split(UserId, "@")[0]), AccountUPNSuffix = tostring(split(UserId, "@")[1])
+
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: UserId
+      - identifier: Name
+        columnName: AccountName
+      - identifier: UPNSuffix
+        columnName: AccountUPNSuffix
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: OriginatingServer
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ClientIPAddress
+version: 2.0.4
+kind: Scheduled