dingmeng-xue
commented
3 years ago @dicolanl and @tianderturpijn, could you help to look into this question?
Closed madhuperera closed 3 years ago
dingmeng-xue
commented
3 years ago @dicolanl and @tianderturpijn, could you help to look into this question?
tianderturpijn
commented
3 years ago @madhuperera, can you please share your full script line? The syntax is:
Get-AzSentinelAlertrule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName
madhuperera
commented
3 years ago @madhuperera, can you please share your full script line? The syntax is:
Get-AzSentinelAlertrule -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName
Hi,
I have no issues running Get-AzSentinelAlertrule. The issue is with running Get-AzSentinelAlertruleTemplate -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName
Have tested on two PCs and against 3 different subscriptions and I get the same error.
😊 I can send more screenshots later when I'm at my PC.
tianderturpijn
commented
3 years ago Apologies @madhuperera, read and typed too fast. This has been fixed in our GA code, but it has not been released yet. We are hoping to release it real soon.
madhuperera
commented
3 years ago Apologies @madhuperera, read and typed too fast. This has been fixed in our GA code, but it has not been released yet. We are hoping to release it real soon.
Awesome.. Was pulling my hair thinking it's just me. Thanks for letting me know 😁
tianderturpijn
commented
3 years ago Thanks for your patience. Closing the issue - fixed in GA code.
challengelogic
commented
3 years ago Hello
I get this same error:
Get-AzSentinelAlertRuleTemplate -ResourceGroupName $sourceRgName -WorkspaceName $sourceLaName Get-AzSentinelAlertRuleTemplate : Value cannot be null.
I have run: Update-Module Az.SecurityInsights
Version after update is: 0.2.0 Az.SecurityInsights
Looks like still an issue.
dicolanl
commented
3 years ago @challengelogic I just tested and it works fine
PS C:\Users\user> $templates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName SOC -WorkspaceName CyberSecuritySOC
PS C:\Users\user> $templates.Count
306Could you run it with -Debug on the end and share the result?
challengelogic
commented
3 years ago Hello
Thank you, yes below:
PS C:\WINDOWS\system32> Get-AzSentinelAlertRule -ResourceGroupName $sourceRgName -WorkspaceName $sourceLaName -Debug DEBUG: 16:38:16 - GetIncidents begin processing with ParameterSet 'WorkspaceScope'. DEBUG: 16:38:19 - using account id 'xxxx'... DEBUG: [Common.Authentication]: Authenticating using Account: 'xxxxx', environment: 'AzureCloud', tenant: 'xxxx' DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2021-05-13T16:33:37.0000000+00:00 DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2021-05-13T16:33:37.0000000+00:00
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: GET
Absolute Uri: https://management.azure.com/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/prov iders/Microsoft.SecurityInsights/alertRules?api-version=2020-01-01
Headers: x-ms-client-request-id : 56e95eb7-a6c5-4a79-8a53-9dd6b99b76f8 accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: OK
Headers: Pragma : no-cache x-ms-ratelimit-remaining-subscription-reads: 11998 x-ms-request-id : b1680999-d2b2-4393-a3e0-0eee966342af x-ms-correlation-request-id : b1680999-d2b2-4393-a3e0-0eee966342af x-ms-routing-request-id : UKSOUTH:20210513T153823Z:b1680999-d2b2-4393-a3e0-0eee966342af Strict-Transport-Security : max-age=31536000; includeSubDomains X-Content-Type-Options : nosniff Cache-Control : no-cache Date : Thu, 13 May 2021 15:38:23 GMT Server : Kestrel
Body: { "value": [] }
DEBUG: AzureQoSEvent: CommandName - Get-AzSentinelAlertRule; IsSuccess - True; Duration - 00:00:03.0707676 DEBUG: Finish sending metric. DEBUG: 16:38:20 - GetIncidents end processing.
PS C:\WINDOWS\system32> $sourceTemplates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $sourceRgName -WorkspaceName $sourceLaName
Get-AzSentinelAlertRuleTemplate : Value cannot be null.
Parameter name: source At line:1 char:20
+ CategoryInfo : CloseError: (:) [Get-AzSentinelAlertRuleTemplate], ArgumentNullException
+ FullyQualifiedErrorId : Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRulesTemplates.GetAlertRuleTemplatePS C:\WINDOWS\system32>
From: dicolanl @.> Sent: 13 May 2021 16:26 To: Azure/azure-powershell @.> Cc: Darren Pritchard @.>; Mention @.> Subject: Re: [Azure/azure-powershell] Get-AzSentinelAlertRuleTemplate fails with "Value cannot be null" (#14545)
@challengelogichttps://github.com/challengelogic I just tested and it works fine
PS C:\Users\user> $templates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName SOC -WorkspaceName CyberSecuritySOC
PS C:\Users\user> $templates.Count 306
Could you run it with -Debug on the end and share the result?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/Azure/azure-powershell/issues/14545#issuecomment-840637260, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEFKZGEXNP4SXQ4RX27ZX2TTNPVQ3ANCNFSM4ZGEXYTQ.
dicolanl
commented
3 years ago @challengelogic Looks like the 1st command worked fine without error. Just returned nothing. Value: []
but could you rerun "$sourceTemplates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $sourceRgName -WorkspaceName $sourceLaName" with -Debug.
Really odd error. As you can see here there is no Source parameter name. so not sure why it saying it cant be null.
challengelogic
commented
3 years ago Sorry I thought I had the -Debug command.
The -Debug output was:
PS C:\WINDOWS\system32> $sourceTemplates = Get-AzSentinelAlertRuleTemplate -ResourceGroupName $sourceRgName -WorkspaceName $sourceLaName -debug
DEBUG: 17:25:52 - GetAlertRuleTemplate begin processing with ParameterSet 'WorkspaceScope'. DEBUG: 17:25:54 - using account id @.'... DEBUG: [Common.Authentication]: Authenticating using Account: @.', environment: 'AzureCloud', tenant: '2c9b93bc-3a73-49c4-9610-214152397873' DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2021-05-13T17:24:41.0000000+00:00 DEBUG: SharedTokenCacheCredential.GetToken invoked. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: DEBUG: SharedTokenCacheCredential.GetToken succeeded. Scopes: [ https://management.core.windows.net//.default ] ParentRequestId: ExpiresOn: 2021-05-13T17:24:41.0000000+00:00 DEBUG: [Common.Authentication]: Received token with LoginType 'User', Tenant: '2c9b93bc-3a73-49c4-9610-214152397873', UserId: @.***' DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: GET
Absolute Uri: https://management.azure.com/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/prov iders/Microsoft.SecurityInsights/alertRuleTemplates?api-version=2020-01-01
Headers: x-ms-client-request-id : c9624a15-08d5-4fe2-a480-d24ba5d380b6 accept-language : en-US
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code: OK
Headers: Pragma : no-cache x-ms-ratelimit-remaining-subscription-reads: 11998 x-ms-request-id : e72b3762-4593-434f-b3b9-1c6e16ee20ae x-ms-correlation-request-id : e72b3762-4593-434f-b3b9-1c6e16ee20ae x-ms-routing-request-id : UKSOUTH:20210513T162559Z:e72b3762-4593-434f-b3b9-1c6e16ee20ae Strict-Transport-Security : max-age=31536000; includeSubDomains X-Content-Type-Options : nosniff Cache-Control : no-cache Date : Thu, 13 May 2021 16:25:58 GMT Server : Kestrel
Body: { "value": [ { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/738702fd-0a66-42c7-8586-e30f0583f8fe", "name": "738702fd-0a66-42c7-8586-e30f0583f8fe", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "High", "query": "DeviceEvents\n| where ActionType has \"ExploitGuardNonMicrosoftSignedBlocked\"\n| where InitiatingProcessFileName contains \"svchost.exe\" and FileName contains \"NetSetupSvc.dll\" \n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, F ileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \"SHA1\"", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "HostCustomEntity" } ] }, { "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", "columnName": "FileHashType" }, { "identifier": "Value", "columnName": "FileHashCustomEntity" } ] } ], "displayName": "TEARDROP memory-only dropper", "description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasi ve-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "tactics": [ "Execution", "Persistence" ], "lastUpdatedDateUTC": "2021-03-04T00:00:00Z", "createdDateUTC": "2020-12-15T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/69b7723c-2889-469f-8b55-a2d355ed9c87", "name": "69b7723c-2889-469f-8b55-a2d355ed9c87", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// P icking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As th ere is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| e xtend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n DnsEvents | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | extend SingleIP = split(IPAddresses, \",\")\n | mvexpand SingleIP\n | extend SingleIP = tostring(SingleIP)\n // renaming time c olumn so it is clear the log this came from\n | extend DNS_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.SingleIP\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenera ted < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, Ex pirationDateTime, ConfidenceScore, DNS_TimeGenerated,\nTI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = DNS_TimeGenerated, IPCustomEntity = ClientIP, HostCustomEntity = Computer, URLCustomEntity = Url", "queryFrequency": "PT1H", "queryPeriod": "P14D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "HostCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] }, { "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "URLCustomEntity" } ] } ], "displayName": "(Preview) TI map IP entity to DnsEvents", "description": "Identifies a match in DnsEvents from any IP IOC from TI", "tactics": [ "Impact" ], "lastUpdatedDateUTC": "2021-04-05T00:00:00Z", "createdDateUTC": "2019-08-27T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" ] }, { "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" ] }, { "connectorId": "DNS", "dataTypes": [ "DnsEvents" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/d25b1998-a592-4bc5-8a3a-92b39eedb1bc", "name": "d25b1998-a592-4bc5-8a3a-92b39eedb1bc", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Low", "query": "AWSCloudTrail\n| where EventName =~ \"ConsoleLogin\" \n| extend MFAUsed = tostring(parse_json(AdditionalEventData).MFAUsed), LoginResult = tostring(parse_json(ResponseElements).Con soleLogin)\n| where MFAUsed !~ \"Yes\" and LoginResult !~ \"Failure\"\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by EventName, EventTypeName, LoginResult, MFAUse d, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, \nUserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion\n| extend timestamp = StartTimeUtc, AccountCustomEntity = U serIdentityUserName, IPCustomEntity = SourceIpAddress", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] } ], "displayName": "Login to AWS Management Console without MFA", "description": "Multi-Factor Authentication (MFA) helps you to prevent credential compromise. This alert identifies logins to the AWS Management Console without MFA.\nYou can limit this dete ction to trigger for adminsitrative accounts if you do not have MFA enabled on all accounts.\nThis is done by looking at the eventName ConsoleLogin and if the AdditionalEventData field indicates MFA was NOT used \nand the ResponseElements field indicates NOT a Failure. Thereby indicating that a non-MFA login was successful.", "tactics": [ "DefenseEvasion", "PrivilegeEscalation", "Persistence", "InitialAccess" ], "lastUpdatedDateUTC": "2021-02-22T00:00:00Z", "createdDateUTC": "2019-02-27T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "AWS", "dataTypes": [ "AWSCloudTrail" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/884be6e7-e568-418e-9c12-89229865ffde", "name": "884be6e7-e568-418e-9c12-89229865ffde", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "let FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_a lternateId_s, client_ipAddresss, bin(TimeGenerated, 5m)\n| where count > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| join kind=inner (FailedLogins) on client_i pAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress _s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, published_t\n| sort by published_t desc\n| extend timestamp = published_t, IPCustomEntity = ClientIP, Ac countCustomEntity = actor_alternateId_s", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] } ], "displayName": "Failed Logins from Unknown or Invalid User", "description": "This query searches for numerous login attempts to the management console with an unknown or invalid user name", "tactics": [ "CredentialAccess" ], "lastUpdatedDateUTC": "2021-02-22T00:00:00Z", "createdDateUTC": "2020-07-08T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "OktaSSO", "dataTypes": [ "Okta_CL" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/213252f1-497c-4124-91da-6cb43902d5b1", "name": "213252f1-497c-4124-91da-6cb43902d5b1", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Anomaly", "properties": { "severity": "Informational", "anomalyDefinitionVersion": "1.0.0", "techniques": [ "T1046", "T1135", "T1071", "T1095", "T1571" ], "customizableObservations": { "multiSelectObservations": null, "singleSelectObservations": null, "prioritizeExcludeObservations": null, "thresholdObservations": [ { "minimum": "5", "maximum": "15", "value": "7", "name": "Number of distinct signatures in a day", "description": "Triggers anomalies when daily signatures triggered is more than the chosen value", "sequenceNumber": 1, "rerun": "RerunAlways" } ], "singleValueObservations": null }, "frequency": "P1D", "displayName": "(Preview) Unusual external firewall alarm detected", "description": "This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. \nThe anomaly takes last 7 days activities to calculate top 10 noisy signatures and also noisy source hosts which are repeatedly seen \ntriggering threat signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding t he threshold of \nnumber of signatures triggered in a single day.", "tactics": [ "Discovery", "CommandAndControl" ], "lastUpdatedDateUTC": "2021-04-13T00:00:00Z", "createdDateUTC": "2021-04-13T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog (PaloAlto)" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/56b0a0cd-894e-4b38-a0a1-c41d9f96649a", "name": "56b0a0cd-894e-4b38-a0a1-c41d9f96649a", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Low", "query": "let lbtime = 1h;\nlet tls_ciphers = dynamic(['RC4-SHA', 'DES-CBC3-SHA']);\nProofpointPOD\n| where EventType == 'message'\n| where TlsCipher in (tls_ciphers)\n| extend IpCustomEntit y = SrcIpAddr", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] } ], "displayName": "ProofpointPOD - Weak ciphers", "description": "Detects when weak TLS ciphers are used.", "lastUpdatedDateUTC": "2021-02-17T00:00:00Z", "createdDateUTC": "2021-01-11T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "ProofpointPOD", "dataTypes": [ "ProofpointPOD_message_CL" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3", "name": "8e267e91-6bda-4b3c-bf68-9f5cbdd103a3", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Low", "query": "ZoomLogs \n| where Event =~ \"account.settings_updated\" \n| extend EnforceLogin = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend Enfo rceLoginDomain = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\") \n| extend GuestAlerts = columnifexists(\"payload_object_settings_in_meeting_alert_guest_join_b\", \"\") \n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false' \n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and Gues tAlerts == 'false', \"All settings changed\", \n EnforceLogin == 'false' and EnforceLoginDomain == 'false', \"Enforced Logons and Restricted Domains Changed\", \n EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"Enforced Domains Changed\", \n EnforceLoginDomain == 'false', \"Enfored Domains Changed\", \ n GuestAlerts == 'false', \"Guest Join Alerts Changed\", \n EnforceLogin == 'false', \"Enforced Logins Changed\", \n \"No Changes\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = User", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] } ], "displayName": "External User Access Enabled", "description": "This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.", "tactics": [ "CredentialAccess", "Persistence" ], "lastUpdatedDateUTC": "2021-02-22T00:00:00Z", "createdDateUTC": "2020-04-25T00:00:00Z", "status": "Available", "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/ba239935-42c2-472d-80ba-689186099ea1", "name": "ba239935-42c2-472d-80ba-689186099ea1", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "High", "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Guessing\"", "queryFrequency": "PT2H", "queryPeriod": "PT2H", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [], "displayName": "Alsid Password Guessing", "description": "Searches for bruteforce Password Guessing attacks", "tactics": [ "CredentialAccess" ], "lastUpdatedDateUTC": "2021-01-17T00:00:00Z", "createdDateUTC": "2021-01-17T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "AlsidForAD", "dataTypes": [ "AlsidForADLog_CL" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/884c4957-70ea-4f57-80b9-1bca3890315b", "name": "884c4957-70ea-4f57-80b9-1bca3890315b", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "let timeBin = 10m;\nlet failedThreshold = 100;\nW3CIISLog\n| where scStatus in (\"401\",\"403\")\n| where csUserName != \"-\"\n// Handling Exchange specific items in IIS logs to re move the unique log identifier in the URI\n| extend csUriQuery = iff(csUriQuery startswith \"MailboxId=\", tostring(split(csUriQuery, \"&\")[0]) , csUriQuery )\n| extend csUriQuery = iff(csUriQuery startswith \"X-ARR-CACHE-HIT=\", strcat(tostring(split(csUriQuery, \"&\")[0]),tostring(split(csUriQuery, \"&\")[1])) , csUriQuery )\n| extend scStatusFull = strcat(scStatus, \".\",scSubStatus) \n// Map common IIS codes\n| extend scStatusFull_Friendly = case(\nscStatusFull == \"401.0\", \"Access denied.\",\nscStatusFull == \"401.1\", \"Logon failed.\",\nscStatusFull == \"401.2\", \"Logon failed due to server configuration.\",\nscStatusFull == \"401.3\", \"Unauthorized due to ACL on resource.\",\nscStatusFull == \"401.4\", \"Authorization failed by filter.\",\nscStatusFull == \"401.5\", \" Authorization failed by ISAPI/CGI application.\",\nscStatusFull == \"403.0\", \"Forbidden.\",\nscStatusFull == \"403.4\", \"SSL required.\",\n\"See - https://support.microsoft.com/help/943891/the-ht tp-status-code-in-iis-7-0-iis-7-5-and-iis-8-0\")\n// Mapping to Hex so can be mapped using website in comments above\n| extend scWin32Status_Hex = tohex(tolong(scWin32Status)) \n// Map common win32 codes\n| extend scWin32Status_Friendly = case(\nscWin32Status_Hex =~ \"775\", \"The referenced account is currently locked out and cannot be logged on to.\",\nscWin32Status_Hex =~ \"52e\", \"Logon f ailure: Unknown user name or bad password.\",\nscWin32Status_Hex =~ \"532\", \"Logon failure: The specified account password has expired.\",\nscWin32Status_Hex =~ \"533\", \"Logon failure: Account c urrently disabled.\", \nscWin32Status_Hex =~ \"2ee2\", \"The request has timed out.\", \nscWin32Status_Hex =~ \"0\", \"The operation completed successfully.\", \nscWin32Status_Hex =~ \"1\", \"Incorr ect function.\", \nscWin32Status_Hex =~ \"2\", \"The system cannot find the file specified.\", \nscWin32Status_Hex =~ \"3\", \"The system cannot find the path specified.\", \nscWin32Status_Hex =~ \" 4\", \"The system cannot open the file.\", \nscWin32Status_Hex =~ \"5\", \"Access is denied.\", \nscWin32Status_Hex =~ \"8009030e\", \"SEC_E_NO_CREDENTIALS\", \nscWin32Status_Hex =~ \"8009030C\", \" SEC_E_LOGON_DENIED\", \n\"See - https://msdn.microsoft.com/library/cc231199.aspx\")\n// decode URI when available\n| extend decodedUriQuery = url_decode(csUriQuery)\n// Count of failed logons by a u ser\n| summarize makeset(decodedUriQuery), makeset(cIP), makeset(sSiteName), makeset(sPort), makeset(csUserAgent), makeset(csMethod), makeset(csUriQuery), makeset(scStatusFull), makeset(scStatusFull _Friendly), makeset(scWin32Status_Hex), makeset(scWin32Status_Friendly), FailedConnectionsCount = count() by bin(TimeGenerated, timeBin), csUserName, Computer, sIP\n| where FailedConnectionsCount >= failedThreshold\n| project TimeGenerated, csUserName, set_decodedUriQuery, Computer, set_sSiteName, sIP, set_cIP, set_sPort, set_csUserAgent, set_csMethod, set_scStatusFull, set_scStatusFull_Friend ly, set_scWin32Status_Hex, set_scWin32Status_Friendly, FailedConnectionsCount\n| order by FailedConnectionsCount\n| extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEnti ty = Computer", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "HostCustomEntity" } ] } ], "displayName": "High count of failed logons by a user", "description": "Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server.\nThis could be indicative of attempted brute force based on known account i nformation.\nThis could also simply indicate a misconfigured service or device. \nReferences:\nIIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis -7-5-and-iis-8-0\nWin32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx", "tactics": [ "CredentialAccess" ], "lastUpdatedDateUTC": "2021-02-22T00:00:00Z", "createdDateUTC": "2019-03-19T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "AzureMonitor(IIS)", "dataTypes": [ "W3CIISLog" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/78979d32-e63f-4740-b206-cfb300c735e0", "name": "78979d32-e63f-4740-b206-cfb300c735e0", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "let ioc_lookBack = 30d;\nlet timeframe = 1h;\nlet TI_IP_List =\nThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(NetworkIP)\n| summarize m ake_list(NetworkIP);\nProofpointPOD \n| where TimeGenerated > ago(timeframe)\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr in~ (TI_IP_List)\n| extend Message = \"Email sender IP in TI list\"\n| project Message, SrcUserUpn, DstUserUpn, SrcIpAddr\n| extend AccountCustomEntity = SrcUserUpn, IpCustomEntity = SrcIpAddr", "queryFrequency": "P1D", "queryPeriod": "P14D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] } ], "displayName": "ProofpointPOD - Email sender IP in TI list", "description": "Email sender IP in TI list.", "tactics": [ "Exfiltration", "InitialAccess" ], "lastUpdatedDateUTC": "2021-01-13T00:00:00Z", "createdDateUTC": "2021-01-11T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "ProofpointPOD", "dataTypes": [ "ProofpointPOD_maillog_CL" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/28b42356-45af-40a6-a0b4-a554cdfd5d8a", "name": "28b42356-45af-40a6-a0b4-a554cdfd5d8a", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "let failureCountThreshold = 5;\nlet successCountThreshold = 1;\nlet authenticationWindow = 20m;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| extend DeviceDetail = todyna mic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)\n| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser\n| extend StatusCode = t ostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)\n| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDeta ils.countryOrRegion)\n| where AppDisplayName has \"Azure Portal\"\n// Split out failure versus non-failure types\n| extend FailureOrSuccess = iff(ResultType in (\"0\", \"50125\", \"50140\", \"70043\ ", \"70044\"), \"Success\", \"Failure\")\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),\ nmake_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess==\"Failure\"), SuccessCount = countif(FailureOrSuccess==\"Success\") \nby bin(TimeGenerated, authenti cationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type\n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| mvexpand IPAddress\n| extend IPAdd ress = tostring(IPAddress)\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress \n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFun c(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] } ], "displayName": "Brute force attack against Azure Portal", "description": "Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures \nand by a successful authentication within a given time win dow. \n(The query does not enforce any sequence - eg requiring the successful authentication to occur last.)\nDefault Failure count is 5, Default Success count is 1 and default Time Window is 20 min utes.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes.", "tactics": [ "CredentialAccess" ], "lastUpdatedDateUTC": "2021-04-04T00:00:00Z", "createdDateUTC": "2019-04-02T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "AzureActiveDirectory", "dataTypes": [ "SigninLogs" ] }, { "connectorId": "AzureActiveDirectory", "dataTypes": [ "AADNonInteractiveUserSignInLogs" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/35a0792a-1269-431e-ac93-7ae2980d4dde", "name": "35a0792a-1269-431e-ac93-7ae2980d4dde", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "let ioc_lookBack = 30d;\nlet timeframe = 1h;\nlet TI_email_List =\nThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n| where isnotempty(EmailSenderAddress)\n| summarize make_list(EmailSenderAddress);\nProofpointPOD \n| where TimeGenerated > ago(timeframe)\n| where isnotempty(SrcUserUpn)\n| where SrcUserUpn in~ (TI_email_List)\n| extend Message = \"Email sender in TI list\"\n| project Message, SrcUserUpn, DstUserUpn\n| extend AccountCustomEntity = SrcUserUpn", "queryFrequency": "P1D", "queryPeriod": "P14D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] } ], "displayName": "ProofpointPOD - Email sender in TI list", "description": "Email sender in TI list.", "tactics": [ "Exfiltration", "InitialAccess" ], "lastUpdatedDateUTC": "2021-01-13T00:00:00Z", "createdDateUTC": "2021-01-11T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "ProofpointPOD", "dataTypes": [ "ProofpointPOD_maillog_CL" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/62085097-d113-459f-9ea7-30216f2ee6af", "name": "62085097-d113-459f-9ea7-30216f2ee6af", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Low", "query": "let starttime = 3d;\nlet SecEvents = materialize ( SecurityEvent | where TimeGenerated >= ago(starttime)\n| where EventID in (4722,4723) | where TargetUserName !endswith \"$\"\n| p roject TimeGenerated, EventID, Activity, Computer, TargetAccount, TargetSid, SubjectAccount, SubjectUserSid);\nlet userEnable = SecEvents\n| extend EventID4722Time = TimeGenerated\n// 4722: User Acc ount Enabled\n| where EventID == 4722\n| project Time_Event4722 = TimeGenerated, TargetAccount, TargetSid, SubjectAccount_Event4722 = SubjectAccount, SubjectUserSid_Event4722 = SubjectUserSid, Activ ity_4722 = Activity, Computer_4722 = Computer;\nlet userPwdSet = SecEvents\n// 4723: Attempt made by user to set password\n| where EventID == 4723\n| project Time_Event4723 = TimeGenerated, TargetAc count, TargetSid, SubjectAccount_Event4723 = SubjectAccount, SubjectUserSid_Event4723 = SubjectUserSid, Activity_4723 = Activity, Computer_4723 = Computer;\nuserEnable | join kind=leftouter userPwdS et on TargetAccount, TargetSid\n| extend PasswordSetAttemptDelta_Min = datetime_diff('minute', Time_Event4723, Time_Event4722)\n| where PasswordSetAttemptDelta_Min > 2880 or isempty(PasswordSetAttem ptDelta_Min)\n| project-away TargetAccount1, TargetSid1\n| extend Reason = @\"User either has not yet attempted to set the initial password after account was enabled or it occurred after 48 hours\"\ n| order by Time_Event4722 asc \n| extend timestamp = Time_Event4722, AccountCustomEntity = TargetAccount, HostCustomEntity = Computer_4722\n| project-reorder Time_Event4722, Time_Event4723, Passwor dSetAttemptDelta_Min, TargetAccount, TargetSid", "queryFrequency": "P1D", "queryPeriod": "P3D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" }, { "identifier": "Sid", "columnName": "TargetSid" } ] }, { "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "HostCustomEntity" } ] } ], "displayName": "AD user enabled and password not set within 48 hours", "description": "Identifies when an account is enabled with a default password and the password is not set by the user within 48 hours.\nEffectively, there is an event 4722 indicating an acco unt was enabled and within 48 hours, no event 4723 occurs which \nindicates there was no attempt by the user to set the password. This will show any attempts (success or fail) that occur \nafter 48 hours, which can indicate too long of a time period in setting the password to something that only the user knows.\nIt is recommended that this time period is adjusted per your internal company poli cy.", "tactics": [ "Persistence" ], "lastUpdatedDateUTC": "2021-02-05T00:00:00Z", "createdDateUTC": "2019-01-28T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/11b4c19d-2a79-4da3-af38-b067e1273dee", "name": "11b4c19d-2a79-4da3-af38-b067e1273dee", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "High", "query": "(union isfuzzy=true\n(Event\n| where Source == \"Microsoft-Windows-Sysmon\"\n| where EventID in (17,18)\n| extend EvData = parse_xml(EventData)\n| extend EventDetail = EvData.DataI tem.EventData.Data\n| extend NamedPipe = EventDetail.[5].[\"#text\"]\n| extend ProcessDetail = EventDetail.[6].[\"#text\"]\n| where NamedPipe contains '583da945-62af-10e8-4902-a8f205c72b2e'\n| exten d Account = UserName\n| project-away EventDetail, EvData\n),\n(\n SecurityEvent\n| where EventID == '5145'\n| where AccessList has '%%4418' // presence of CreatePipeInstance value \n| where Rela tiveTargetName contains '583da945-62af-10e8-4902-a8f205c72b2e'\n)\n)\n| extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "HostCustomEntity" } ] } ], "displayName": "Solorigate Named Pipe", "description": "Identifies a match across various data feeds for named pipe IOCs related to the Solorigate incident.", "tactics": [ "LateralMovement" ], "lastUpdatedDateUTC": "2021-03-04T00:00:00Z", "createdDateUTC": "2020-12-30T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvent" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/9736e5f1-7b6e-4bfb-a708-e53ff1d182c3", "name": "9736e5f1-7b6e-4bfb-a708-e53ff1d182c3", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Low", "query": "let tokens = dynamic([\"416\",\"208\",\"128\",\"120\",\"96\",\"80\",\"72\",\"64\",\"48\",\"44\",\"40\",\"g5\",\"gs5\",\"g4\",\"gs4\",\"nc12\",\"nc24\",\"nv12\"]);\nlet operationLis t = dynamic([\"Create or Update Virtual Machine\", \"Create Deployment\"]);\nAzureActivity\n| where OperationName in (operationList)\n| where ActivityStatus == \"Accepted\" \n| where isnotempty(Prop erties)\n| extend vmSize = tolower(tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).hardwareProfile)).vmSize))\n| where isnotem pty(vmSize)\n| where vmSize has_any (tokens) \n| extend ComputerName = tostring(parse_json(tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).responseBody)).properties)).osProfi le)).computerName)\n| extend clientIpAddress = tostring(parse_json(HTTPRequest).clientIpAddress)\n| project TimeGenerated, OperationName, ActivityStatus, Caller, CallerIpAddress, ComputerName, vmSiz e\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 1, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] } ], "displayName": "Creation of expensive computes in Azure", "description": "Identifies the creation of large size/expensive VMs (GPU or with large no of virtual CPUs) in Azure.\nAdversary may create new or update existing virtual machines sizes to ev ade defenses \nor use it for cryptomining purposes.\nFor Windows/Linux Vm Sizes - https://docs.microsoft.com/azure/virtual-machines/windows/sizes \nAzure VM Naming Conventions - https://docs.microso ft.com/azure/virtual-machines/vm-naming-conventions", "tactics": [ "DefenseEvasion" ], "lastUpdatedDateUTC": "2021-02-22T00:00:00Z", "createdDateUTC": "2020-08-28T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "AzureActivity", "dataTypes": [ "AzureActivity" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/f15370f4-c6fa-42c5-9be4-1d308f40284e", "name": "f15370f4-c6fa-42c5-9be4-1d308f40284e", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// P icking up only IOC's that contain the entities we want\n| where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n// As th ere is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty.\n// Taking the first non-empty value based on potential IOC match availability\n| extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n| extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n| e xtend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n| join (\n OfficeActivity | where TimeGenerated >= ago(dt_lookBack)\n // renaming time column so it is clear the log this came from\n | extend OfficeActivity_TimeGenerated = TimeGenerated\n)\non $left.TI_ipEntity == $right.ClientIP\n| where OfficeActivity_TimeGenerate d >= TimeGenerated and OfficeActivity_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, Acti vityGroupNames, IndicatorId, ThreatType, Url, ExpirationDateTime, ConfidenceScore, OfficeActivity_TimeGenerated,\nTI_ipEntity, ClientIP, UserId, Operation, ResultStatus, RecordType, OfficeObjectId, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress\n| extend timestamp = OfficeActivity_TimeGenerated, IPCustomEntity = ClientIP, AccountCustomEntity = UserId, URLCustomEntity = Url", "queryFrequency": "PT1H", "queryPeriod": "P14D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] }, { "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "URLCustomEntity" } ] } ], "displayName": "(Preview) TI map IP entity to OfficeActivity", "description": "Identifies a match in OfficeActivity from any IP IOC from TI", "tactics": [ "Impact" ], "lastUpdatedDateUTC": "2021-04-05T00:00:00Z", "createdDateUTC": "2019-08-27T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" ] }, { "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" ] }, { "connectorId": "Office365", "dataTypes": [ "OfficeActivity" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/ffcd575b-3d54-482a-a6d8-d0de13b6ac63", "name": "ffcd575b-3d54-482a-a6d8-d0de13b6ac63", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet emailregex = @@.**A-Z0-9-]+\.[a-zA-Z0-9-.]+$';\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(io c_lookBack) and ExpirationDateTime > now()\n| where Active == true\n//Filtering the table for Email related IOCs\n| where isnotempty(EmailSenderAddress)\n| join (\n CommonSecurityLog | where Time Generated >= ago(dt_lookBack) and isnotempty(DestinationUserID)\n // Filtering PAN Logs for specific event type to match relevant email entities\n | where DeviceVendor == \"Palo Alto Networks\ " and DeviceEventClassID == \"wildfire\" and ApplicationProtocol in (\"smtp\",\"pop3\")\n | extend DestinationUserID = tolower(DestinationUserID)\n | where DestinationUserID matches regex ema ilregex\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n)\non $left.EmailSenderAddress == $right.DestinationUserID\n| where CommonSecurityLog_TimeGenerated >= TimeGenerated and Common SecurityLog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, ) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorI d, ThreatType, Url, ExpirationDateTime, ConfidenceScore, CommonSecurityLog_TimeGenerated,\nEmailSenderName, EmailRecipient, EmailSourceDomain, EmailSourceIpAddress, EmailSubject, FileHashValue, File HashType, DestinationUserID, DeviceEventClassID, LogSeverity, DeviceAction,\nSourceIP, SourcePort, DestinationIP, DestinationPort, Protocol, ApplicationProtocol\n| extend timestamp = CommonSecurityL og_TimeGenerated, AccountCustomEntity = DestinationUserID, IPCustomEntity = SourceIP, URLCustomEntity = Url", "queryFrequency": "PT1H", "queryPeriod": "P14D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] }, { "entityType": "URL", "fieldMappings": [ { "identifier": "Url", "columnName": "URLCustomEntity" } ] } ], "displayName": "(Preview) TI map Email entity to CommonSecurityLog", "description": "Identifies a match in CommonSecurityLog table from any Email IOC from TI", "tactics": [ "Impact" ], "lastUpdatedDateUTC": "2021-04-05T00:00:00Z", "createdDateUTC": "2019-08-28T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "PaloAltoNetworks", "dataTypes": [ "CommonSecurityLog" ] }, { "connectorId": "ThreatIntelligence", "dataTypes": [ "ThreatIntelligenceIndicator" ] }, { "connectorId": "ThreatIntelligenceTaxii", "dataTypes": [ "ThreatIntelligenceIndicator" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/18e6a87e-9d06-4a4e-8b59-3469cd49552d", "name": "18e6a87e-9d06-4a4e-8b59-3469cd49552d", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "(union isfuzzy=true (SecurityEvent \n| where EventID == 4662 // You need to create a SACL on the ADFS Policy Store DKM group for this event to be created. \n| where ObjectServer == 'DS'\n| where OperationType == 'Object Access'\n//| where ObjectName contains '<GUID of ADFS Policy Store DKM Group object' This is unique to the domain. Check description for more details.\n| wher e ObjectType contains '5cb41ed0-0e4c-11d0-a286-00aa003049e2' // Contact Class\n| where Properties contains '8d3bca50-1d7e-11d0-a081-00aa006c33ed' // Picture Attribute - Ldap-Display-Name: thumbnailP hoto\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer, AccountCustomEntity = SubjectAccount),\n(DeviceEvents\n| where ActionType =~ \"LdapSearch\"\n| where AdditionalFields.Attribute List contains \"thumbnailPhoto\"\n| where AdditionalFields.DistinguishedName contains \"CN=ADFS,CN=Microsoft,CN=Program Data\" // Filter results to show only hits related to the ADFS AD container\n| extend timestamp = TimeGenerated, HostCustomEntity = DeviceName, AccountCustomEntity = InitiatingProcessAccountName)\n)", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "HostCustomEntity" } ] } ], "displayName": "ADFS DKM Master Key Export", "description": "Identifies an export of the ADFS DKM Master Key from Active Directory.\nReferences: https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cybera ttacks/, \nhttps://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html?1\nTo understand further the details behind this detection, please review the details in the original PR and subequent PR update to this:\nhttps://github.com/Azure/Azure-Sentinel/pull/1562#issue-551542469\nhttps://github.com/Azure/Azure-Sent inel/pull/1512#issue-543053339\n", "tactics": [ "Collection" ], "lastUpdatedDateUTC": "2021-03-04T00:00:00Z", "createdDateUTC": "2020-12-17T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "SecurityEvents", "dataTypes": [ "SecurityEvents" ] }, { "connectorId": "MicrosoftThreatProtection", "dataTypes": [ "DeviceEvents" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", "name": "95dc4ae3-e0f2-48bd-b996-cdd22b90f9af", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "High", "query": "(union isfuzzy=true\n(\nAuditLogs\n| where OperationName =~ \"Set federation settings on domain\"\n//| where Result =~ \"success\" // commenting out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedProperties\n| extend targetDisplayName = tostr ing(parse_json(modifiedProperties).displayName)\n| mv-expand AdditionalDetails\n),\n(\nAuditLogs\n| where OperationName =~ \"Set domain authentication\"\n//| where Result =~ \"success\" // comment ing out, as it may be interesting to capture failed attempts\n| mv-expand TargetResources\n| extend modifiedProperties = parse_json(TargetResources).modifiedProperties\n| mv-expand modifiedPropertie s\n| extend targetDisplayName = tostring(parse_json(modifiedProperties).displayName), NewDomainValue=tostring(parse_json(modifiedProperties).newValue)\n| where NewDomainValue has \"Federated\"\n)\n) \n| extend UserAgent = iff(AdditionalDetails.key == \"User-Agent\",tostring(AdditionalDetails.value),\"\")\n| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring (InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))\n| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostrin g(InitiatedBy.app.ipAddress))\n| project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, Tenant Id, AADTenantId\n| extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] } ], "displayName": "Modified domain federation trust settings", "description": "This will alert when a user or application modifies the federation settings on the domain or Update domain authentication from Managed to Federated.\nFor example, this alert will trigger when a new Active Directory Federated Service (ADFS) TrustedRealm object, such as a signing certificate, is added to the domain.\nModification to domain federation settings should be ra re. Confirm the added or modified target domain/URL is legitimate administrator behavior.\nTo understand why an authorized user may update settings for a federated domain in Office 365, Azure, or In tune, see: https://docs.microsoft.com/office365/troubleshoot/active-directory/update-federated-domain-office-365.\nFor details on security realms that accept security tokens, see the ADFS Proxy Prot ocol (MS-ADFSPP) specification: https://docs.microsoft.com/openspecs/windows_protocols/ms-adfspp/e7b9ea73-1980-4318-96a6-da559486664b.\nFor further information on AuditLogs please see https://docs.m icrosoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.", "tactics": [ "CredentialAccess" ], "lastUpdatedDateUTC": "2021-03-02T00:00:00Z", "createdDateUTC": "2020-12-11T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "AzureActiveDirectory", "dataTypes": [ "AuditLogs" ] } ], "alertRulesCreatedByTemplateCount": 0 } }, { "id": "/subscriptions/1f43fa83-6cde-4fd3-b165-15c75be74fd2/resourceGroups/rg-wmp-uks-loganalytics01/providers/Microsoft.OperationalInsights/workspaces/la-wmp-uks-security01/providers/Microsoft .SecurityInsights/AlertRuleTemplates/65c78944-930b-4cae-bd79-c3664ae30ba7", "name": "65c78944-930b-4cae-bd79-c3664ae30ba7", "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "kind": "Scheduled", "properties": { "severity": "Medium", "query": "(union isfuzzy=true\n(AuditLogs \n| where OperationName =~ \"Disable Strong Authentication\"\n| extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) \n| ex tend InitiatedByUser = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json( tostring(InitiatedBy.app)).displayName))\n| extend Targetprop = todynamic(TargetResources)\n| extend TargetUser = tostring(Targetprop[0].userPrincipalName) \n| summarize StartTimeUtc = min(TimeGener ated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, InitiatedByUser , Operation = OperationName , CorrelationId, IPAddress, Category, Source = SourceSystem , AADTenantId, Type\n),\n(AWSClou dTrail\n| where EventName in~ (\"DeactivateMFADevice\", \"DeleteVirtualMFADevice\") \n| extend InstanceProfileName = tostring(parse_json(RequestParameters).InstanceProfileName)\n| extend TargetUser = tostring(parse_json(RequestParameters).userName)\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by User = TargetUser, Source = EventSource , Operation = EventName , TenantorInstance_Detail = InstanceProfileName, IPAddress = SourceIpAddress\n)\n)\n| extend timestamp = StartTimeUtc, AccountCustomEntity = User, IPCustomEntity = IPAddress", "queryFrequency": "PT1H", "queryPeriod": "PT1H", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "customDetails": {}, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "IP", "fieldMappings": [ { "identifier": "Address", "columnName": "IPCustomEntity" } ] } ], "displayName": "MFA disabled for a user", "description": "Multi-Factor Authentication (MFA) helps prevent credential compromise. This alert identifies when an attempt has been made to disable MFA for a user ", "tactics": [ "CredentialAccess" ], "lastUpdatedDateUTC": "2021-04-29T00:00:00Z", "createdDateUTC": "2019-12-16T00:00:00Z", "status": "Available", "requiredDataConnectors": [ { "connectorId": "AzureActiveDirectory", "
dicolanl
commented
3 years ago So it worked? I see the body returned data from the API call.
I dont see the powershell error in this now
I am trying to run Get-AzSentinelAlertRuleTemplate with ResourceGroupName and WorkspaceName switches to get a list of all templates, but I keep getting the error below:
Get-AzSentinelAlertRuleTemplate : Value cannot be null. Parameter name: source At line:1 char:1
Appreciate your help.