Merge branch 'Azure:master' into master

Azure · Sep 20, 2024 · 43133aa · 43133aa
2 parents 545b2ba + fca4648
commit 43133aa
Show file tree

Hide file tree

Showing 314 changed files with 10,551 additions and 5,202 deletions.
diff --git a/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md b/DataConnectors/AzureFunctionsManualDeploymentWithPythonVersion3.9.md
@@ -0,0 +1,40 @@
+# Function app manual deployment instructions 
+
+- Start VS Code. Choose File in the main menu and select Open Folder.
+
+- Select the top level folder from extracted files.
+
+- Choose the Azure icon in the Activity bar, if you aren't already signed in, choose the Azure icon in the Activity bar, then in the Azure: Functions area, choose Sign in to Azure
+
+- If you're already signed in, go to the next step.
+
+- Provide the following information at the prompts:
+
+	a. **Select folder**: Choose a folder from your workspace or browse to one that contains your function app.
+
+	b. **Select Subscription**: Choose the subscription to use under resources.
+
+	![Select Subscription](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/subscription.png)
+
+	c. Right click on the functions and select **Create new Function App in Azure** (Don't choose the Advanced option)
+
+	![Create new Function App in Azure](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/CreatenewFunctionApp.png)
+
+	d. **Enter a globally unique name for the function app**: Type a name that is valid in a URL path. The name you type is validated to make sure that it's unique in Azure Functions. (e.g. UmbrellaXYZ).
+
+	![Enter a globally unique name](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/globallyuniquename.png)
+
+	e. **Select a runtime**: Choose Python 3.9.
+
+	![Select a runtime](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Selectaruntime.png)
+
+	f. Select a location for new resources. For better performance and lower costs choose the same [region](https://azure.microsoft.com/regions/) where Microsoft Sentinel is located.
+
+	![Select a location for new resources](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Selectalocation.png)
+
+- Deployment will begin. A notification is displayed after your function app is created.
+
+- Deploy the function in Function app: Once the function app is created click on deploy button under workspace section. Select the Subcription and the function app in which function needs to be deployed.
+![Deploy the function in Function app](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/Images/Deploythefunction.png)
+
+- Go to Azure Portal for the Function App configuration. 
diff --git a/Hunting Queries/Microsoft 365 Defender/Device Inventory/MDE_FindOutOfDateClients.YAML b/Hunting Queries/Microsoft 365 Defender/Device Inventory/MDE_FindOutOfDateClients.YAML
@@ -5,17 +5,17 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceInfo
+  - DeviceInfo
 query: |
-//Find out of date clients
-DeviceInfo
-| where OSPlatform contains "Windows"
-| summarize arg_max(Timestamp, *) by DeviceId
-| extend MajorClientVersion = todouble(substring(ClientVersion, 0, 7))
-| where MajorClientVersion < 10.8500
-| where OnboardingStatus == "Onboarded"
-| project-reorder ClientVersion
-version: 1.0.0
+  //Find out of date clients
+  DeviceInfo
+  | where OSPlatform contains "Windows"
+  | summarize arg_max(Timestamp, *) by DeviceId
+  | extend MajorClientVersion = todouble(substring(ClientVersion, 0, 7))
+  | where MajorClientVersion < 10.8500
+  | where OnboardingStatus == "Onboarded"
+  | project-reorder ClientVersion
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_AVScanTimesAndType.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_AVScanTimesAndType.YAML
@@ -5,15 +5,15 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-//List all the scan types and device name of those scans
-DeviceEvents
-| where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled")
-| extend A=parse_json(AdditionalFields)  
-| project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User
-| sort by Timestamp desc
-version: 1.0.0
+  //List all the scan types and device name of those scans
+  DeviceEvents
+  | where ActionType in ("AntivirusScanCompleted", "AntivirusScanCancelled")
+  | extend A=parse_json(AdditionalFields)  
+  | project Timestamp, DeviceName, ActionType,ScanType = A.ScanTypeIndex, StartedBy= A.User
+  | sort by Timestamp desc
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BlockingASRRules.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BlockingASRRules.YAML
@@ -5,15 +5,15 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-DeviceEvents 
-| where ActionType startswith "ASR"
-| extend Fields=parse_json(AdditionalFields)
-| extend IsAudit = tostring(Fields.IsAudit)
-| where IsAudit == "false"
-| project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId
-version: 1.0.0
+  DeviceEvents 
+  | where ActionType startswith "ASR"
+  | extend Fields=parse_json(AdditionalFields)
+  | extend IsAudit = tostring(Fields.IsAudit)
+  | where IsAudit == "false"
+  | project Timestamp, DeviceName, ActionType, IsAudit, ReportId, DeviceId
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BrowserExtensionInstalled.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_BrowserExtensionInstalled.YAML
@@ -5,13 +5,13 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceFileEvents
+  - DeviceFileEvents
 query: |
-DeviceFileEvents 
-| where FileOriginReferrerUrl <> ""
-| where FileName contains ".crx"
-| project DeviceName, FileName, FolderPath, FileOriginReferrerUrl
-version: 1.0.0
+  DeviceFileEvents 
+  | where FileOriginReferrerUrl <> ""
+  | where FileName contains ".crx"
+  | project DeviceName, FileName, FolderPath, FileOriginReferrerUrl
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceHealth.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceHealth.YAML
@@ -5,23 +5,23 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceTvmSecureConfigurationAssessment
+  - DeviceTvmSecureConfigurationAssessment
 query: |
-let avmodetable = DeviceTvmSecureConfigurationAssessment
-| where ConfigurationId == "scid-2010" and isnotnull(Context)
-| extend avdata=parsejson(Context)
-| extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked',iif(tostring(avdata[0][0]) == '2', 'SxS Passive' ,'Unknown'))))
-| project DeviceId, AVMode;
-DeviceTvmSecureConfigurationAssessment
-| where ConfigurationId == "scid-2011" and isnotnull(Context)
-| extend avdata=parsejson(Context)
-| extend AVSigVersion = tostring(avdata[0][0])
-| extend AVEngineVersion = tostring(avdata[0][1])
-| extend AVSigLastUpdateTime = tostring(avdata[0][2])
-| project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
-| join avmodetable on DeviceId
-| project-away DeviceId1
-version: 1.0.0
+  let avmodetable = DeviceTvmSecureConfigurationAssessment
+  | where ConfigurationId == "scid-2010" and isnotnull(Context)
+  | extend avdata=parsejson(Context)
+  | extend AVMode = iif(tostring(avdata[0][0]) == '0', 'Active' , iif(tostring(avdata[0][0]) == '1', 'Passive' ,iif(tostring(avdata[0][0]) == '4', 'EDR Blocked',iif(tostring(avdata[0][0]) == '2',  'SxS Passive' ,'Unknown'))))
+  | project DeviceId, AVMode;
+  DeviceTvmSecureConfigurationAssessment
+  | where ConfigurationId == "scid-2011" and isnotnull(Context)
+  | extend avdata=parsejson(Context)
+  | extend AVSigVersion = tostring(avdata[0][0])
+  | extend AVEngineVersion = tostring(avdata[0][1])
+  | extend AVSigLastUpdateTime = tostring(avdata[0][2])
+  | project DeviceId, DeviceName, OSPlatform, AVSigVersion, AVEngineVersion, AVSigLastUpdateTime, IsCompliant, IsApplicable
+  | join avmodetable on DeviceId
+  | project-away DeviceId1
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceInventory-LastUserLoggedIn.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_DeviceInventory-LastUserLoggedIn.YAML
@@ -5,34 +5,34 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceEvents
+  - DeviceEvents
 query: |
-let LastLogins=DeviceLogonEvents
+  let LastLogins=DeviceLogonEvents
     | where LogonType == "Interactive"
     | where InitiatingProcessParentFileName == "wininit.exe"
     | summarize LastLogon=arg_max(Timestamp, *) by AccountName, DeviceName
     | project AccountName, DeviceName, LastLogon;
-let Logins=DeviceLogonEvents
+  let Logins=DeviceLogonEvents
     | where LogonType == "Interactive"
     | where InitiatingProcessParentFileName == "wininit.exe"        
     | summarize Logins=count() by AccountName, DeviceName
     | project AccountName, Logins, DeviceName;
-let NetworkInfo=DeviceNetworkInfo
+  let NetworkInfo=DeviceNetworkInfo
     | where IPv4Dhcp <> ""
     | mvexpand parse_json(IPAddresses)
     | where IPAddresses.IPAddress !contains ":"
     | summarize arg_max(Timestamp, *) by DeviceName
     | project DeviceName, IPAddress=IPAddresses.IPAddress, Timestamp;
-Logins
-| join kind=inner ( LastLogins
+  Logins
+  | join kind=inner ( LastLogins
     | project AccountName, DeviceName, LastLogon
-) on DeviceName, AccountName
-| join kind=leftouter  ( NetworkInfo
+  ) on DeviceName, AccountName
+  | join kind=leftouter  ( NetworkInfo
     | project DeviceName, IPAddress, Timestamp
-) on DeviceName
-| project AccountName, DeviceName, LastLogon, Logins, IPAddress
-| sort by DeviceName
-version: 1.0.0
+  ) on DeviceName
+  | project AccountName, DeviceName, LastLogon, Logins, IPAddress
+  | sort by DeviceName
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Evidenceforasingledevice.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_Evidenceforasingledevice.YAML
@@ -5,52 +5,52 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - AlertEvidence
+  - AlertEvidence
 query: |
-//Find all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM.
-let _F = AlertEvidence
+  //Find all alert evidence for a single endpoint. This is handy for exporting to a third-party SIEM.
+  let _F = AlertEvidence
     | where DeviceName == "Yourendpointhere" 
     | distinct AlertId;
-let _Process = AlertEvidence
+  let _Process = AlertEvidence
     | where EntityType == "Process"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, FileName, FolderPath, SHA1, SHA256, FileSize, ProcessCommandLine, AdditionalFields;
-let _IP = AlertEvidence
+  let _IP = AlertEvidence
     | where EntityType == "Ip"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, RemoteIP, AdditionalFields;
-let _URL = AlertEvidence
+  let _URL = AlertEvidence
     | where EntityType == "Url"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, RemoteUrl, AdditionalFields;
-let _User = AlertEvidence
+  let _User = AlertEvidence
     | where EntityType == "User"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, AccountName, AccountDomain, AccountSid, AccountUpn, AdditionalFields;
-let _Machine = AlertEvidence
+  let _Machine = AlertEvidence
     | where EntityType == "Machine"
     | join kind=inner _F 
         on $left.AlertId == $right.AlertId
     | order by Timestamp, AlertId
     | project AlertId, DeviceName, LocalIP, AdditionalFields;
-_Machine
-| join _F on $left.AlertId == $right.AlertId
-| join _IP on $left.AlertId == $right.AlertId
-| join _Process on $left.AlertId == $right.AlertId
-| join _URL on $left.AlertId == $right.AlertId
-| join _User on $left.AlertId == $right.AlertId
-| distinct AlertId, AccountDomain, AccountName, AccountSid, AccountUpn, 
+  _Machine
+  | join _F on $left.AlertId == $right.AlertId
+  | join _IP on $left.AlertId == $right.AlertId
+  | join _Process on $left.AlertId == $right.AlertId
+  | join _URL on $left.AlertId == $right.AlertId
+  | join _User on $left.AlertId == $right.AlertId
+  | distinct AlertId, AccountDomain, AccountName, AccountSid, AccountUpn, 
     DeviceName, LocalIP, FileSize, FolderPath, SHA1, SHA256, ProcessCommandLine,
     RemoteIP, RemoteUrl
-version: 1.0.0
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindDefenderSettingsOnEndpoints.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindDefenderSettingsOnEndpoints.YAML
@@ -5,18 +5,18 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceBaselineComplianceAssessment
+  - DeviceBaselineComplianceAssessment
 query: |
-//Find Windows Defender Settings
-DeviceBaselineComplianceAssessment 
-| where Source contains "hkey_local_machine\\software\\policies\\microsoft\\windows defender\\"
-| project DeviceName, Source, CurrentValue
+  //Find Windows Defender Settings
+  DeviceBaselineComplianceAssessment 
+  | where Source contains "hkey_local_machine\\software\\policies\\microsoft\\windows defender\\"
+  | project DeviceName, Source, CurrentValue
 
-//Find Windows Defender Security Center Settings
-DeviceBaselineComplianceAssessment 
-| where Source contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\"
-| project DeviceName, Source, CurrentValue
-version: 1.0.0
+  //Find Windows Defender Security Center Settings
+  DeviceBaselineComplianceAssessment 
+  | where Source contains "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender Security Center\\"
+  | project DeviceName, Source, CurrentValue
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindLNKFilesOnEndpoints.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindLNKFilesOnEndpoints.YAML
@@ -5,14 +5,14 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceFileEvents
+  - DeviceFileEvents
 query: |
-//Find LNK files on certain devices
-DeviceFileEvents
-| where DeviceName  == "EndpointNameHere"
-| where FileName contains ".LNK" 
-| project Timestamp, DeviceName, ActionType, FileName, FolderPath, PreviousFileName, PreviousFolderPath, InitiatingProcessAccountName, InitiatingProcessFolderPath
-version: 1.0.0
+  //Find LNK files on certain devices
+  DeviceFileEvents
+  | where DeviceName  == "EndpointNameHere"
+  | where FileName contains ".LNK" 
+  | project Timestamp, DeviceName, ActionType, FileName, FolderPath, PreviousFileName, PreviousFolderPath, InitiatingProcessAccountName, InitiatingProcessFolderPath
+version: 1.0.1
 metadata:
     source:
         kind: Community

diff --git a/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindMountedISOandDriveLetters.YAML b/Hunting Queries/Microsoft 365 Defender/Discovery/MDE_FindMountedISOandDriveLetters.YAML
@@ -5,29 +5,29 @@ description: |
 requiredDataConnectors:
 - connectorId: MicrosoftThreatProtection
   dataTypes:
- - DeviceFileEvents
+  - DeviceFileEvents
 query: |
-//Find Mounted ISO files and drive letters
-DeviceFileEvents
-| where Timestamp > ago(1d)
-| where FileName endswith "iso"
-| project DeviceName, FileName, ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), FolderPath
-| join kind = inner ( 
+  //Find Mounted ISO files and drive letters
+  DeviceFileEvents
+  | where Timestamp > ago(1d)
+  | where FileName endswith "iso"
+  | project DeviceName, FileName, ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), FolderPath
+   | join kind = inner ( 
     DeviceFileEvents
     | where Timestamp > ago(1d)
     | where FileName endswith "lnk" 
     | extend ['LNK FileName'] = FileName
     | project ['LNK FileName'], DeviceName
     ) on DeviceName
-| join kind = inner (
+  | join kind = inner (
     DeviceRegistryEvents 
     | where Timestamp > ago(1d)
     | where RegistryKey contains "MountedDevices"
     | project ['Date']=format_datetime(Timestamp,'MM/dd/yyyy'), DeviceName, RegistryValueName
     ) on DeviceName
-| where trim(@".lnk", ['LNK FileName']) == trim(@".iso", FileName)
-| distinct ['Date'],DeviceName, ['LNK FileName'], FileName, FolderPath, RegistryValueName
-version: 1.0.0
+  | where trim(@".lnk", ['LNK FileName']) == trim(@".iso", FileName)
+  | distinct ['Date'],DeviceName, ['LNK FileName'], FileName, FolderPath, RegistryValueName
+version: 1.0.1
 metadata:
     source:
         kind: Community