From bde68a5d25e18144b77db6d69ddd7643c79c17ee Mon Sep 17 00:00:00 2001 From: v-shukore Date: Fri, 20 Sep 2024 12:19:11 +0530 Subject: [PATCH 1/8] Update HuntingQueriesMigrated.json --- .../HuntingQueriesMigrated.json | 425 +++++++++++++++++- 1 file changed, 423 insertions(+), 2 deletions(-) diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json index a0b0527a6a7..150164ba942 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json @@ -1326,7 +1326,428 @@ "templateName": "UserLoginIPAddressTeleportation.yaml", "id": "09a7c5fc-0649-4f7d-a21b-36a754cef6b6", "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/Execution/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/Hunting%20Queries/" - } + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/Hunting%20Queries/" }, + { + "templateName": "ATP policy status check.yaml", + "id": "518e6938-10ef-4165-af19-82f1287141bc", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "JNLP attachment.yaml", + "id": "b6392f39-a1f4-4ec8-8689-4cb9d28c295a", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Safe attachment detection.yaml", + "id": "16eda414-1550-4cdc-8512-0769901d3f05", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Authentication failures.yaml", + "id": "7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Spoof attempts with auth failure.yaml", + "id": "5971f2e7-1bb2-4170-aa7a-577ed8a45c72", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Audit Email Preview-Download action.yaml", + "id": "ba1a91ad-1f99-4386-b191-06a76ef213f8", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Hunt for TABL changes.yaml", + "id": "bc2d8214-afb6-4876-b210-25b69325b9b2", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Local time to UTC time conversion.yaml", + "id": "712ffdd8-ddce-4372-85dd-063029b418cf", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "MDO daily detection summary report.yaml", + "id": "deb4b2c6-c10e-4044-8cf4-84243e40db73", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Mail item accessed.yaml", + "id": "81ede5df-2ec3-40a5-9dff-1fe6a841079d", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Malicious email senders.yaml", + "id": "63c799bc-7567-4e4d-97be-e143fcfaa333", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Emails containing links to IP addresses.yaml", + "id": "8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Good emails from senders with bad patterns.yaml", + "id": "e6259b03-622e-4e11-9c54-94987dad7c14", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Hunt for email conversation take over attempts.yaml", + "id": "fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Hunt for malicious URLs using external IOC source.yaml", + "id": "57f95ba7-938d-4a76-b411-c01034c0d167", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Hunt for malicious attachments using external IOC source.yaml", + "id": "0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Inbox rule change which forward-redirect email.yaml", + "id": "54569b06-47fc-41ae-9b00-f7d9b61337b6", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "MDO_CountOfRecipientsEmailaddressbySubject.YAML", + "id": "430a9c0d-f3ce-46a3-a994-92b3ada0d1b2", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "MDO_CountOfSendersEmailaddressbySubject.YAML", + "id": "b95994d1-1008-4c42-a74f-9f2967e39ed6", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "MDO_Countofrecipientsemailaddressesbysubject.YAML", + "id": "f840db5b-87c9-43c8-a8c3-5b6b83838cd4", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "MDO_SummaryOfSenders.YAML", + "id": "a96c1571-1f7d-48dc-8287-7df5a5f0d987", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "MDO_URLClickedinEmail.YAML", + "id": "2c6e7f75-d83c-4344-afdc-83335fe550e6", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Detections by detection methods.yaml", + "id": "1c51e10e-7f77-40bc-bd37-6aa55cdf94d6", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Mail reply to new domain.yaml", + "id": "da7b973a-0045-4fd6-9161-269369336d24", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Mailflow by directionality.yaml", + "id": "6b478186-da3b-4d71-beaa-aa5b42908499", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Malicious emails detected per day.yaml", + "id": "da932998-81dd-4be4-963c-f4890cb4192e", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Sender recipient contact establishment.yaml", + "id": "b2beec6a-2c1c-4319-a191-e70c2ee42857", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top 100 malicious email senders.yaml", + "id": "12225f50-9d41-4b78-8269-cc127d98654c", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top 100 senders.yaml", + "id": "cadf6e78-2a9a-4fb5-b788-30a592d699d3", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Zero day threats.yaml", + "id": "95b0c7ed-2853-4343-80a9-ab076cf31e51", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Email containing malware accessed on a unmanaged device.yaml", + "id": "439f817c-845c-4dda-a8d9-5c1f6831cee9", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Email containing malware sent by an internal sender.yaml", + "id": "07c85687-6dee-4266-9345-1e34de85d989", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Email malware detection report.yaml", + "id": "23dbd58b-23ce-42ae-b4d1-0dfdd35871ea", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Malware detections by detection methods.yaml", + "id": "a3619c75-a927-4dbb-91cc-9adc55e95bda", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Admin overrides.yaml", + "id": "fd68706e-8e3e-4ccd-9230-1f267bdad4c8", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top policies performing admin overrides.yaml", + "id": "c73ae295-d120-4f79-aaed-de005f766ad2", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top policies performing user overrides.yaml", + "id": "fe2cb53e-4eb3-4676-87c1-f80d2813f542", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "User overrides.yaml", + "id": "b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Appspot phishing abuse.yaml", + "id": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Campaign with randomly named attachments.yaml", + "id": "25150085-015a-4673-9b67-bc6ad9475500", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Campaign with suspicious keywords.yaml", + "id": "9b086a51-e396-4718-90d7-f7b3646e6581", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Custom detection-Emails with QR from non-prevalent senders.yaml", + "id": "516046e8-a460-4f7b-86eb-421d3a9cdff1", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Emails delivered having URLs from QR codes.yaml", + "id": "594fe5a1-53b6-466b-86df-028366c3994e", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Emails with QR codes and suspicious keywords in subject.yaml", + "id": "706b711a-7622-40f1-9ebb-331d1a0ff697", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Emails with QR codes from non-prevalent sender.yaml", + "id": "f708c866-073a-4107-a60b-ba6f86e54caa", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Hunting for sender patterns.yaml", + "id": "68aa199c-259b-4bb0-8e7a-8ed6f96c5525", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Hunting for user signals-clusters.yaml", + "id": "8c852f12-499f-499b-afc1-25c50aa9b462", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Inbound emails with QR code URLs.yaml", + "id": "f6354c94-3a95-4235-8530-414f016a7bf6", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Personalized campaigns based on the first few keywords.yaml", + "id": "dc7e1eb5-16f5-4ad5-96a1-794970f4b310", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Personalized campaigns based on the last few keywords.yaml", + "id": "54d3455d-27e0-4ceb-99f9-375abd620151", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Risky sign-in attempt from a non-managed device.yaml", + "id": "8d298b5c-feca-4add-bd42-e43e0a317a88", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Suspicious sign-in attempts from QR code phishing campaigns.yaml", + "id": "3131d0ba-32c9-483e-a25c-82e26a07e116", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Group quarantine release.yaml", + "id": "a12cac64-ea6d-46d4-91a6-262b165fb9ad", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "High Confidence Phish Released.yaml", + "id": "9e8faa62-7222-48a5-a78f-ef2d22f866dc", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Quarantine Release Email Details.yaml", + "id": "6f96f6d7-d972-421e-a59f-6b9a8de81324", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Quarantine release trend.yaml", + "id": "9f135aef-ad25-4df2-bdab-8399978a36a2", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Email remediation action list.yaml", + "id": "99713387-9d61-49eb-8edc-f51153d8bb01", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Display Name - Spoof and Impersonation.yaml", + "id": "6a570927-8638-4a6f-ac09-72a7d51ffa3c", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Referral phish emails.yaml", + "id": "cdc4da1c-64a1-4941-be59-1f5cc85481ab", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Spoof and impersonation detections by sender IP.yaml", + "id": "b3180ac0-6d94-494a-8b8c-fcc84319ea6e", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Spoof and impersonation phish detections.yaml", + "id": "011c3d48-f6ca-405f-9763-66c7856ad2ba", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "User not covered under display name impersonation.yaml", + "id": "e90345b3-439c-44e1-a85d-8ae84ad9c65b", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Admin reported submissions.yaml", + "id": "71aeb41d-c85c-4569-bb08-6f1cd38bca49", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Status of submissions.yaml", + "id": "1c390fd7-2668-4445-9b7d-055f3851be5f", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top submitters of admin submissions.yaml", + "id": "2d2351ca-e9a6-4286-b445-a9268189c1dc", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top submitters of user submissions.yaml", + "id": "8c9bc29b-f32a-49fe-8fe8-450479f4130f", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "User reported submissions.yaml", + "id": "0bd33643-c517-48b1-8211-25a7fbd15a50", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Attacked more than x times average.yaml", + "id": "de480ca4-4095-4fef-b3e7-2a3f17f24e78", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Malicious mails by sender IPs.yaml", + "id": "a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top 10 URL domains attacking organization.yaml", + "id": "27ee28e7-423b-48c9-a410-cbc6c8e21d25", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top 10 percent of most attacked users.yaml", + "id": "e3b7b5c1-0e50-4dfb-b73a-c226636eaf58", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top external malicious senders.yaml", + "id": "9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Top targeted users.yaml", + "id": "a1664330-810a-473b-b354-acbaa751a294", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "End user malicious clicks.yaml", + "id": "d24e9c4a-b72a-4a85-89cd-83760ae61155", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "URL click count by click action.yaml", + "id": "3f007cdc-86bf-4657-9015-05101a3e54f5", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "URL click on ZAP Email.yaml", + "id": "efe27064-6d35-4720-b7f5-e0326695613d", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "URL clicks actions by URL.yaml", + "id": "bc46e331-3cb0-483d-9c90-989d2a59457f", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "URLClick details based on malicious URL click alert.yaml", + "id": "03e61096-20d0-46eb-b8e0-a507dd00a19f", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "User clicked through events.yaml", + "id": "f075d4c4-cf76-4e5d-9c2d-9ed524286316", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "User clicks on malicious inbound emails.yaml", + "id": "891f4865-75e5-4d40-bc24-ebf97da3ca9a", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "User clicks on phishing URLs in emails.yaml", + "id": "d823da0e-1334-4a66-8ff4-2c2c40d26295", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Phishing Email Url Redirector.yaml", + "id": "08aff8c6-b983-43a3-be95-68a10c3d35e6", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "SafeLinks URL detections.yaml", + "id": "492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { + "templateName": "Total ZAP count.yaml", + "id": "c10b22a0-6021-46f9-bdaf-05bf2350a554", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + + ] \ No newline at end of file From 8a3632f29149eadafdb8833f68c0055fe52d6c2a Mon Sep 17 00:00:00 2001 From: v-shukore Date: Fri, 20 Sep 2024 13:29:27 +0530 Subject: [PATCH 2/8] Updated migrated Hunting Query description --- .../Attachment/ATP policy status check.yaml | 25 +------- .../Attachment/JNLP attachment.yaml | 16 +---- .../Attachment/Safe attachment detection.yaml | 21 +----- .../Authentication failures.yaml | 21 +----- .../Spoof attempts with auth failure.yaml | 20 +----- .../Audit Email Preview-Download action.yaml | 27 +------- .../General/Hunt for TABL changes.yaml | 18 +----- .../Local time to UTC time conversion.yaml | 18 +----- .../MDO daily detection summary report.yaml | 64 +------------------ .../General/Mail item accessed.yaml | 19 +----- .../General/Malicious email senders.yaml | 20 +----- .../Email Queries/General/New TABL Items.yaml | 31 +-------- ...ails containing links to IP addresses.yaml | 16 +---- ...emails from senders with bad patterns.yaml | 28 +------- ...email conversation take over attempts.yaml | 38 +---------- ...icious URLs using external IOC source.yaml | 26 +------- ...attachments using external IOC source.yaml | 25 +------- ...e change which forward-redirect email.yaml | 19 +----- ...ountOfRecipientsEmailaddressbySubject.YAML | 31 +-------- ...O_CountOfSendersEmailaddressbySubject.YAML | 31 +-------- ...ntofrecipientsemailaddressesbysubject.YAML | 31 +-------- .../Hunting/MDO_SummaryOfSenders.YAML | 34 +--------- .../Hunting/MDO_URLClickedinEmail.YAML | 27 +------- .../Detections by detection methods.yaml | 44 +------------ .../Mailflow/Mail reply to new domain.yaml | 38 +---------- .../Mailflow/Mailflow by directionality.yaml | 19 +----- .../Malicious emails detected per day.yaml | 27 +------- ...ender recipient contact establishment.yaml | 33 +--------- .../Top 100 malicious email senders.yaml | 19 +----- .../Mailflow/Top 100 senders.yaml | 18 +----- .../Mailflow/Zero day threats.yaml | 18 +----- ...alware accessed on a unmanaged device.yaml | 28 +------- ...ng malware sent by an internal sender.yaml | 18 +----- .../Email malware detection report.yaml | 24 +------ ...lware detections by detection methods.yaml | 30 +-------- .../Overrides/Admin overrides.yaml | 19 +----- ...p policies performing admin overrides.yaml | 18 +----- ...op policies performing user overrides.yaml | 18 +----- .../Overrides/User overrides.yaml | 19 +----- .../Phish/Appspot phishing abuse.yaml | 29 +-------- .../PhishDetectionByDetectionMethod.yaml | 37 +---------- ...paign with randomly named attachments.yaml | 22 +------ .../Campaign with suspicious keywords.yaml | 23 +------ ...ls with QR from non-prevalent senders.yaml | 49 +------------- ...s delivered having URLs from QR codes.yaml | 23 +------ ...es and suspicious keywords in subject.yaml | 25 +------- ...th QR codes from non-prevalent sender.yaml | 34 +--------- .../QR code/Hunting for sender patterns.yaml | 45 +------------ .../Hunting for user signals-clusters.yaml | 24 +------ .../Inbound emails with QR code URLs.yaml | 23 +------ ...aigns based on the first few keywords.yaml | 23 +------ ...paigns based on the last few keywords.yaml | 23 +------ ...-in attempt from a non-managed device.yaml | 29 +-------- ...empts from QR code phishing campaigns.yaml | 45 +------------ .../Quarantine/Group quarantine release.yaml | 22 +------ .../High Confidence Phish Released.yaml | 25 +------- .../Quarantine Release Email Details.yaml | 25 +------- .../Quarantine/Quarantine release trend.yaml | 20 +----- .../Email remediation action list.yaml | 31 +-------- ...isplay Name - Spoof and Impersonation.yaml | 33 +--------- .../Referral phish emails.yaml | 25 +------- ...impersonation detections by sender IP.yaml | 19 +----- ...of and impersonation phish detections.yaml | 20 +----- ...ered under display name impersonation.yaml | 26 +------- .../Admin reported submissions.yaml | 20 +----- .../Submissions/Status of submissions.yaml | 23 +------ .../Top submitters of admin submissions.yaml | 23 +------ .../Top submitters of user submissions.yaml | 23 +------ .../User reported submissions.yaml | 20 +----- .../Attacked more than x times average.yaml | 22 +------ .../Malicious mails by sender IPs.yaml | 19 +----- ...10 URL domains attacking organization.yaml | 25 +------- ...Top 10 percent of most attacked users.yaml | 23 +------ .../Top external malicious senders.yaml | 19 +----- .../Top Attacks/Top targeted users.yaml | 19 +----- .../URL Click/End user malicious clicks.yaml | 22 +------ .../URL click count by click action.yaml | 20 +----- .../URL Click/URL click on ZAP Email.yaml | 21 +----- .../URL Click/URL clicks actions by URL.yaml | 20 +----- ...ls based on malicious URL click alert.yaml | 20 +----- .../User clicked through events.yaml | 18 +----- ...er clicks on malicious inbound emails.yaml | 26 +------- ...ser clicks on phishing URLs in emails.yaml | 19 +----- .../URL/Phishing Email Url Redirector.yaml | 21 +----- .../URL/SafeLinks URL detections.yaml | 21 +----- .../Email Queries/ZAP/Total ZAP count.yaml | 18 +----- 86 files changed, 86 insertions(+), 2072 deletions(-) diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml index 073d68c7fb1..613e0c8edfa 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/ATP policy status check.yaml @@ -1,27 +1,4 @@ id: 518e6938-10ef-4165-af19-82f1287141bc name: ATP policy status check description: | - This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365. -description-detailed: | - This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365. - Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - CloudAppEvents - | where Application == "Microsoft Exchange Online" - | where ActionType == "Set-AtpPolicyForO365" - | mv-expand ActivityObjects - | extend Name = tostring(ActivityObjects.Name) - | extend Value = tostring(ActivityObjects.Value) - | where Name in ("EnableATPForSPOTeamsODB", "EnableSafeDocs", "AllowSafeDocsOpen") - | extend packed = pack(Name, Value) - | summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName - | evaluate bag_unpack(PackedInfo) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/ATP%20policy%20status%20check.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml index 360cac771fb..65c6143125a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/JNLP attachment.yaml @@ -1,18 +1,4 @@ id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a name: JNLP-File-Attachment description: | - JNLP file extensions are an uncommon file type often used to deliver malware. -description-detailed: | - JNLP file extensions are an uncommon file type often used to deliver malware. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailAttachmentInfo -tactics: -- InitialAccess -relevantTechniques: - - T1566 -query: | - EmailAttachmentInfo - | where FileName endswith ".jnlp" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/JNLP%20attachment.yaml' diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml index d88452723a4..bcc5b0acbb9 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Attachment/Safe attachment detection.yaml @@ -1,23 +1,4 @@ id: 16eda414-1550-4cdc-8512-0769901d3f05 name: Safe Attachments detections description: | - This query provides insights on the detections done by Safe Attachment detections -description-detailed: | - This query provides insights on the detections done by Safe Attachment detections. - Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where DetectionMethods != "" - | extend detection= tostring(parse_json(DetectionMethods).Phish) - | where detection has "File detonation reputation" or detection has "File detonation" - | summarize total=count() by bin(Timestamp, 1d) - | order by Timestamp asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/Safe%20attachment%20detection.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml index 98fffd44e55..4d37a4da4b7 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Authentication failures.yaml @@ -1,23 +1,4 @@ id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422 name: Authentication failures by time and authentication type description: | - This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth -description-detailed: | - This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results. - Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago (30d) - | project Timestamp, AR=parse_json(AuthenticationDetails), NetworkMessageId, EmailDirection, SenderFromAddress, ThreatTypes, DetectionMethods - | evaluate bag_unpack(AR) - | where DMARC == "fail" - | summarize count() by bin(Timestamp, 1d) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Authentication%20failures.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml index 050f4149469..dfc92f2cdf1 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Authentication/Spoof attempts with auth failure.yaml @@ -1,22 +1,4 @@ id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72 name: Spoof attempts with auth failure description: | - This query helps in checking for spoofing attempts on the domain with Authentication failures -description-detailed: | - This query helps in checking for spoofing attempts on the domain with Authentication failures. - Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago (1d) and DetectionMethods contains "spoof" - | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames - | evaluate bag_unpack(AR) - | where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Spoof%20attempts%20with%20auth%20failure.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml index 830d0baf68d..f29509ee35e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Audit Email Preview-Download action.yaml @@ -1,29 +1,4 @@ id: ba1a91ad-1f99-4386-b191-06a76ef213f8 name: Audit Email Preview-Download action description: | - This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365 -description-detailed: | - This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: -- PrivilegeEscalation -relevantTechniques: - - T1078 -query: | - CloudAppEvents - | project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData) - | evaluate bag_unpack(AR) - | where RecordType == "38" and ExtendedProperties contains "DownloadEMail" or ExtendedProperties contains "GetMailPreviewUrl" - | serialize - | extend RowNumber = row_number() - | mv-expand ExtendedProperties - | evaluate bag_unpack(ExtendedProperties, 'xp_') - | extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '') - | summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName), DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber - | extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0]) - | project-away RowNumber -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Audit%20Email%20Preview-Download%20action.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml index 604b0d1d310..5f1ba6104dc 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Hunt for TABL changes.yaml @@ -1,20 +1,4 @@ id: bc2d8214-afb6-4876-b210-25b69325b9b2 name: Hunt for TABL changes description: | - This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365 -description-detailed: | - This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - CloudAppEvents - | where ActionType contains "TenantAllowBlockListItems" - | order by Timestamp desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Hunt%20for%20TABL%20changes.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml index 9e6f4285d77..ed3e0096fbe 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Local time to UTC time conversion.yaml @@ -1,20 +1,4 @@ id: 712ffdd8-ddce-4372-85dd-063029b418cf name: Local time to UTC time conversion description: | - Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings. -description-detailed: | - This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid")) - | where DeliveryAction == "Delivered" - | where LatestDeliveryLocation == "Quarantine" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Local%20time%20to%20UTC%20time%20conversion.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml index d01b5292321..daf1885f52e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/MDO daily detection summary report.yaml @@ -1,66 +1,4 @@ id: deb4b2c6-c10e-4044-8cf4-84243e40db73 name: MDO daily detection summary report description: | - This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365 -description-detailed: | - This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result - Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents - - AlertEvidence - - EmailEvents - - EmailPostDeliveryEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let QueryTime = 30d; - let Reports = CloudAppEvents - | where Timestamp > ago(QueryTime) - | where ActionType == "UserSubmission" or ActionType == "AdminSubmission" - | extend MessageDate = todatetime((parse_json(RawEventData)).MessageDate) - | extend NetworkMessageID = tostring((parse_json(RawEventData)).ObjectId) - | extend Date_value = tostring(format_datetime( MessageDate, "yyyy-MM-dd")) - | distinct Date_value,NetworkMessageID - | summarize count() by Date_value - | project Date_value, MessagesGotReported=count_; - let ThreatByAutomation = (AlertEvidence | where Title == "Email reported by user as malware or phish") - | extend LastVerdictfromAutomation = tostring((parse_json(AdditionalFields)).LastVerdict) - | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) - | extend DetectionFromAIR = iif(isempty(LastVerdictfromAutomation), "NoThreatsFound", tostring(LastVerdictfromAutomation)) - | summarize PostDeliveryTotalAIRInvestigations = count(), - PostDeliveryAirNoThreatsFound = countif(DetectionFromAIR contains "NoThreatsFound"), - PostDeliveryAirSuspicious = countif(DetectionFromAIR contains "Suspicious"), - PostDeliveryAirMalicious = countif(DetectionFromAIR contains "Malicious") - by Date_value //Date Reported from Message Submissions from CloudAppEvents does not match to the AIR Investigations from Alert playbooks - | project Date_value, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirSuspicious, PostDeliveryAirMalicious; - let DeliveryInboundEvents = (EmailEvents | where EmailDirection == "Inbound" and Timestamp > ago(QueryTime) - | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) - | project Date_value, Timestamp, NetworkMessageId, DetectionMethods ,RecipientEmailAddress); - let PostDeliveryEvents = (EmailPostDeliveryEvents | where ActionType contains "ZAP" and ActionResult == "Success"| join DeliveryInboundEvents on RecipientEmailAddress, NetworkMessageId //Only successful ZAP Events, there could still be more, join on Recipient and NetID - | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) //Zap Timestamp is used and not MessageDate received - | summarize PostDeliveryZAP=count() by Date_value); - let DeliveryByThreat = (DeliveryInboundEvents - | where Timestamp > ago(QueryTime) - | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) - | extend MDO_detection = parse_json(DetectionMethods) - | extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0])) - | extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)")) - | summarize TotalEmails = count(), - Clean = countif(FirstSubcategory contains "Clean"), - Malware = countif(FirstSubcategory contains "Malware"), - Phish = countif(FirstSubcategory contains "Phish"), - Spam = countif(FirstSubcategory contains "Spam" and FirstSubcategory !contains "Bulk"), - Bulk = countif(FirstSubcategory contains "Bulk") - by Date_value; - DeliveryByThreat - | join kind=fullouter Reports on Date_value - | join kind=fullouter PostDeliveryEvents on Date_value - | join kind=fullouter ThreatByAutomation on Date_value - | sort by Date_value asc - | project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious - | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/MDO%20daily%20detection%20summary%20report.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml index f994e68557e..7d32b5b26f8 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Mail item accessed.yaml @@ -1,21 +1,4 @@ id: 81ede5df-2ec3-40a5-9dff-1fe6a841079d name: Mail item accessed description: | - This query helps reviewing emails accessed by end users using cloud app events data -description-detailed: | - This query helps reviewing emails accessed by end users in their mailboxes using cloud app events data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | where Record == 50 - | take 10 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Mail%20item%20accessed.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml index 53af695df26..d80fdeeebf0 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/Malicious email senders.yaml @@ -1,22 +1,4 @@ id: 63c799bc-7567-4e4d-97be-e143fcfaa333 name: Malicious email senders description: | - This query helps hunting for emails from a sender with at least one email in quarantine -description-detailed: | - This query helps hunting for emails from a sender with at least one email detected with a threat and sent into quarantine -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let SenderWithQuarantine = EmailEvents - | where LatestDeliveryLocation == "Quarantine" - | project SenderFromAddress; - EmailEvents - | where LatestDeliveryLocation == "Inbox/folder" - | where SenderFromAddress in (SenderWithQuarantine) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Malicious%20email%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml index bc435dcca92..25e9d130fec 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/General/New TABL Items.yaml @@ -1,33 +1,4 @@ id: 92b76a34-502e-4a53-93ec-9fc37c3b358c name: New TABL Items description: | - This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. -description-detailed: | - This query helps identifying when new items being added to the Tenant/Allow Block List (TABL) in Defender for Office 365. The output includes details about both Allow and Block entries. - Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - CloudAppEvents - | where ActionType == "New-TenantAllowBlockListItems" - | extend Parameters = RawEventData.Parameters - | mv-apply Parameters on ( - extend Out=bag_pack(tostring(Parameters.Name), Parameters.Value) - | summarize Parameters=make_bag(Out) - ) - | extend Allow=Parameters.Allow, Block=Parameters.Block, Entry=Parameters.Entries, ExpirationDate=Parameters.ExpirationDate, ListType=Parameters.ListType,ListSubType=Parameters.ListSubType, ModifiedBy=Parameters.ModifiedBy, NoExpiration=Parameters.NoExpiration, SubmissionID=Parameters.SubmissionID, SubmissionUserId=Parameters.SubmissionUserId, Notes=Parameters.Notes - | extend Action=iff(Allow == "True", "Allow", iff(Block == "True", "Block", "Unknown")), AccountUpn=tostring(coalesce(SubmissionUserId, ModifiedBy)) - | project Timestamp, Action, ListType, ListSubType, Entry, ExpirationDate, NoExpiration, AccountUpn, Notes, SubmissionID, ReportId - | order by Timestamp desc -entityMappings: - - entityType: Account - fieldMappings: - - identifier: FullName - columnName: AccountUpn -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/New%20TABL%20Items.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml index 1238dcb4159..ae18090f570 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Emails containing links to IP addresses.yaml @@ -1,18 +1,4 @@ id: 8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935 name: Emails containing links to IP addresses description: | - This query helps hunting for Emails containing links to IP addresses -description-detailed: | - This query helps hunting for Emails containing links to IP addresses using Defender for Office 365 data -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailUrlInfo - | where Url matches regex @"file://(?:[0-9]{1,3}\.){3}[0-9]{1,3}" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Emails%20containing%20links%20to%20IP%20addresses.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml index 4418071d721..6340073f8aa 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Good emails from senders with bad patterns.yaml @@ -1,30 +1,4 @@ id: e6259b03-622e-4e11-9c54-94987dad7c14 name: Good emails from senders with bad patterns description: | - This query helps hunting for good emails from senders with bad patterns -description-detailed: | - This query helps hunting for good emails from senders with bad patterns using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Good emails from senders with bad patterns - let PctPhishThreshold = 50; - let LookbackWindow = 1d; - EmailEvents - | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" - | extend PhishMethods=tostring(parse_json(DetectionMethods).Phish) - | where PhishMethods contains ("File") or PhishMethods contains ("URL") or PhishMethods contains ("Filter") - | summarize PhishCount=count() by SenderMailFromAddress,AuthenticationDetails,PhishMethods - | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" - | summarize TotalCount=count() by SenderMailFromAddress,AuthenticationDetails) on SenderMailFromAddress,AuthenticationDetails - | project-away SenderMailFromAddress1,AuthenticationDetails1 - | extend PctPhish = (PhishCount*100 / TotalCount) - | where PctPhish < 100 and PctPhish>= PctPhishThreshold - | join kind=inner (EmailEvents | where Timestamp > ago (LookbackWindow) and EmailDirection == "Inbound" and DeliveryLocation<> "Quarantine") on SenderMailFromAddress,AuthenticationDetails -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Good%20emails%20from%20senders%20with%20bad%20patterns.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml index c89f0113cdd..30404987d23 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml @@ -1,40 +1,4 @@ id: fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72 name: Hunt for email conversation take over attempts description: | - This query helps hunting for email conversation take over attempts -description-detailed: | - This query helps hunting for email conversation take over attempts using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let emailDelivered = EmailEvents - | where Timestamp < ago(4hrs) - and DeliveryAction == "Delivered" - | extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress) - | distinct Pair; - let EmailDomains = EmailEvents - | where Timestamp < ago(4hrs) - and DeliveryAction == "Delivered" - | distinct SenderFromDomain; - EmailEvents - | where Timestamp >= ago(4hrs) - | where DeliveryLocation != "Quarantine" - and EmailDirection == "Inbound" - and OrgLevelAction != "Block" - and UserLevelAction != "Block" - | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true ) - | project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject - | join kind=leftouter ( emailDelivered ) on Pair - | order by SenderMailFromAddress - | where NewMsg == false - and Pair1 == "" - | join kind=leftouter (EmailDomains) on SenderFromDomain - | where SenderFromDomain1 == "" - | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20email%20conversation%20take%20over%20attempts.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml index 8404270426a..8d7416628a1 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml @@ -1,28 +1,4 @@ id: 57f95ba7-938d-4a76-b411-c01034c0d167 name: Hunt for malicious URLs using external IOC source description: | - This query helps hunt for emails with malicious URLs based on external IOC source -description-detailed: | - This query helps hunt for emails with malicious URLs based on URLs from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR - Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailUrlInfo - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let url = (externaldata(url: string ) - [@"https://urlhaus.abuse.ch/downloads/text_online/"] - with (format="txt")) - | project url; - url - | join (EmailUrlInfo - | where Timestamp > ago(2h) - ) on $left.url == $right.Url - |join EmailEvents on NetworkMessageId - |project Timestamp, NetworkMessageId, Url, UrlLocation, UrlDomain, SenderFromAddress, SenderDisplayName, SenderIPv4, Subject,RecipientEmailAddress, RecipientObjectId, LatestDeliveryAction, ThreatNames, ThreatTypes, DetectionMethods, DeliveryAction,ReportId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20malicious%20attachments%20using%20external%20IOC%20source.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml index e040a99bb93..ba145bc3895 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml @@ -1,27 +1,4 @@ id: 0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe name: Hunt for malicious attachments using external IOC source description: | - This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source -description-detailed: | - This query helps hunt for emails with malicious attachments based on SH256 hash from external IOC source using Defender for Office 365 and Advance hunting in Microsoft Defender XDR - Reference - https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-best-practices#ingest-data-from-external-sources -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailAttachmentInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let abuse_sha256 = (externaldata(sha256_hash: string) - [@"https://bazaar.abuse.ch/export/txt/sha256/recent/"] - with (format="txt")) - | where sha256_hash !startswith "#" - | project sha256_hash; - abuse_sha256 - | join (EmailAttachmentInfo - | where Timestamp > ago(1d) - ) on $left.sha256_hash == $right.SHA256 - | project Timestamp,SenderFromAddress,RecipientEmailAddress,FileName,FileType,SHA256,ThreatTypes,DetectionMethods,NetworkMessageId,ReportId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Hunt%20for%20malicious%20URLs%20using%20external%20IOC%20source.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml index b5fb498c7dc..8d5e36cdbf1 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml @@ -1,21 +1,4 @@ id: 54569b06-47fc-41ae-9b00-f7d9b61337b6 name: Inbox rule changes which forward-redirect email description: | - This query helps hunting for Inbox rule changes which forward-redirect email -description-detailed: | - This query helps hunting for Inbox rule changes which forward-redirect email - Reference - https://learn.microsoft.com/en-us/defender-office-365/detect-and-remediate-outlook-rules-forms-attack#what-is-the-outlook-rules-and-custom-forms-injection-attack -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - Persistence -relevantTechniques: - - T1098 -query: | - CloudAppEvents - | where ActionType contains "Set-InboxRule" - |extend Parameters = tostring((parse_json(RawEventData)).Parameters) - |where Parameters contains "ForwardTo" or Parameters contains "RedirectTo" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/Inbox%20rule%20change%20which%20forward-redirect%20email.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML index 9907db0a4f9..a90712253f6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML @@ -1,33 +1,4 @@ id: 430a9c0d-f3ce-46a3-a994-92b3ada0d1b2 name: MDO_CountOfRecipientsEmailaddressbySubject description: | - Count of recipient's email addresses by subject -description-detailed: | - Count of recipient's email addresses by subject -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Count of recipient's email addresses by subject - EmailEvents - //Change the date for as far back as you want to go - | where Timestamp > ago(10d) - | summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject - //Change the Count of how many times the email with the same subject has come in - | where CountRecipientEmailAddress >= 15 - | project RecipientEmailAddress, CountRecipientEmailAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML index 318c7b7f6dc..31e34bf0e2e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML @@ -1,33 +1,4 @@ id: b95994d1-1008-4c42-a74f-9f2967e39ed6 name: MDO_CountOfSendersEmailaddressbySubject description: | - Count of sender's email addresses by subject -description-detailed: | - Count of sender's email addresses by subject -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Count of sender's email addresses by subject - EmailEvents - //Change the date for as far back as you want to go - | where Timestamp > ago(10d) - | summarize CountSenderFromAddress=count() by SenderFromAddress, Subject - //Change the Count of how many times the email with the same subject has come in - | where CountSenderFromAddress >= 10 - | project SenderFromAddress, CountSenderFromAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML index dd80a2b63e4..e4bc093cee2 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML @@ -1,33 +1,4 @@ id: f840db5b-87c9-43c8-a8c3-5b6b83838cd4 name: MDO_Countofrecipientsemailaddressesbysubject description: | - Count of recipient's email addresses by subject -description-detailed: | - Count of recipient's email addresses by subject -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Count of recipient's email addresses by subject - EmailEvents - //Change the date for as far back as you want to go - | where Timestamp > ago(10d) - | summarize CountRecipientEmailAddress=count() by RecipientEmailAddress, Subject - //Change the Count of how many times the email with the same subject has come in - | where CountRecipientEmailAddress >= 15 - | project RecipientEmailAddress, CountRecipientEmailAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML index 9cd812817bc..564547e1ebf 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_SummaryOfSenders.YAML @@ -1,36 +1,4 @@ id: a96c1571-1f7d-48dc-8287-7df5a5f0d987 name: MDO_SummaryOfSenders description: | - Count of all Senders and where they were delivered -description-detailed: | - Count of all Senders and where they were delivered -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - //Distinct Count - EmailEvents - | summarize QuaratineEmails = count_distinct(DeliveryLocation == "Quarantine"), - Emails = count_distinct(DeliveryLocation == "Inbox/folder"), - JunkEmails = count_distinct(DeliveryLocation == "Junk folder")by SenderFromAddress - - //Count of all Senders and where they were delivered - EmailEvents - | summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"), - Emails = count(DeliveryLocation == "Inbox/folder"), - JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_SummaryOfSenders.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML index f79d2afbe42..9f83987b82a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Hunting/MDO_URLClickedinEmail.YAML @@ -1,29 +1,4 @@ id: 2c6e7f75-d83c-4344-afdc-83335fe550e6 name: MDO_URLClickedinEmail description: | - URLs clicked in Email -description-detailed: | - URLs clicked in Email -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | where ActionType == "ClickAllowed" - //| where ActionType <> "ClickAllowed" - | project AccountUpn, ActionType, Url -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Hunting/MDO_URLClickedinEmail.YAML' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml index 2882a9f8cd8..dbea72deb0e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Detections by detection methods.yaml @@ -1,46 +1,4 @@ id: 1c51e10e-7f77-40bc-bd37-6aa55cdf94d6 name: Detections by detection methods description: | - This query helps reviewing malicious email detections by detection methods -description-detailed: | - This query helps reviewing malicious email detections by detection methods in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-detection-technology-in-email-entity -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(7d) - | where isnotempty(DetectionMethods) - | extend MDO_detection = parse_json(DetectionMethods) - | summarize TotalEmailCount = count(), - Phish_detection = countif(isnotempty(MDO_detection.Phish)), - Malware_detection = countif(isnotempty(MDO_detection.Malware)), - Spam_detection = countif(isnotempty( MDO_detection.Spam)), - URL_malicious_reputation = countif(MDO_detection.Phish == @'["URL malicious reputation"]' or MDO_detection.Malware == @'["URL malicious reputation"]'), - URL_detonation_reputation = countif(MDO_detection.Phish == @'["URL detonation reputation"]' or MDO_detection.Malware == @'["URL detonation reputation"]'), - URL_detonation = countif(MDO_detection.Phish == @'["URL detonation"]' or MDO_detection.Malware == @'["URL detonation"]'), - Advanced_filter = countif(MDO_detection.Phish == @'["Advanced filter"]'), - General_filter = countif(MDO_detection.Phish == @'["General filter"]'), - Spoof_intra_org = countif(MDO_detection.Phish == @'["Spoof intra-org"]'), - Spoof_external_domain = countif(MDO_detection.Phish == @'["Spoof external domain"]'), - Spoof_DMARC = countif(MDO_detection.Phish == @'["Spoof DMARC"]'), - Impersonation_brand = countif(MDO_detection.Phish == @'["Impersonation brand"]'), - Impersonation_user = countif(MDO_detection.Phish == @'["Impersonation user"]'), - Impersonation_domain = countif(MDO_detection.Phish == @'["Impersonation domain"]'), - Mixed_analysis_detection= countif(MDO_detection.Phish == @'["Mixed analysis detection"]'), - File_reputation = countif(MDO_detection.Phish == @'["File reputation"]' or MDO_detection.Malware == @'["File reputation"]'), - File_detonation = countif(MDO_detection.Phish == @'["File detonation"]' or MDO_detection.Malware == @'["File detonation"]'), - File_detonation_reputation = countif(MDO_detection.Phish == @'["File detonation reputation"]' or MDO_detection.Malware == @'["File detonation reputation"]'), - Antimalware_engine = countif(MDO_detection.Malware == @'["Antimalware engine"]'), - Fingerprint_matching = countif(MDO_detection.Phish == @'["Fingerprint matching"]'), - Mailbox_intelligence_impersonation = countif(MDO_detection.Phish == @'["Mailbox intelligence impersonation"]'), - Campaign = countif(MDO_detection.Phish == @'["Campaign"]' or MDO_detection.Malware == @'["Campaign"]') by bin(Timestamp, 1d) - | project Timestamp, TotalEmailCount, Phish_detection, Malware_detection, Spam_detection,URL_malicious_reputation,URL_detonation_reputation ,URL_detonation,Advanced_filter, General_filter,Spoof_intra_org,Spoof_external_domain,Spoof_DMARC,Impersonation_brand,Impersonation_user,Impersonation_domain, - Mixed_analysis_detection,File_reputation,File_detonation,File_detonation_reputation,Antimalware_engine,Fingerprint_matching,Mailbox_intelligence_impersonation,Campaign -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Detections%20by%20detection%20methods.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml index 26445e81ceb..54c5f637bbd 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mail reply to new domain.yaml @@ -1,40 +1,4 @@ id: da7b973a-0045-4fd6-9161-269369336d24 name: Mail reply to new domain description: | - This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new -description-detailed: | - This query helps reviewing mail that is likely a reply but there is no history of the people chatting and the domain is new -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let emailDelivered = EmailEvents - | where Timestamp < ago(4hrs) - and DeliveryAction == "Delivered" - | extend Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress) - | distinct Pair; - let EmailDomains = EmailEvents - | where Timestamp < ago(4hrs) - and DeliveryAction == "Delivered" - | distinct SenderFromDomain; - EmailEvents - | where Timestamp >= ago(4hrs) - | where DeliveryLocation != "Quarantine" - and EmailDirection == "Inbound" - and OrgLevelAction != "Block" - and UserLevelAction != "Block" - | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true ) - | project Pair = strcat(SenderMailFromAddress,"|",RecipientEmailAddress), NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject - | join kind=leftouter ( emailDelivered ) on Pair - | order by SenderMailFromAddress - | where NewMsg == false - and Pair1 == "" - | join kind=leftouter (EmailDomains) on SenderFromDomain - | where SenderFromDomain1 == "" - | distinct Pair, NetworkMessageId, SenderFromDomain, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, ThreatTypes, DetectionMethods, NewMsg, Subject -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Mail%20reply%20to%20new%20domain.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml index 0c3919bff60..b8730b7575e 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Mailflow by directionality.yaml @@ -1,21 +1,4 @@ id: 6b478186-da3b-4d71-beaa-aa5b42908499 name: Mailflow by directionality description: | - This query helps reviewing inbound / outbound / intra-org emails by domain per day -description-detailed: | - This query helps reviewing inbound / outbound / intra-org emails by domain per day -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | extend domain = substring(RecipientEmailAddress, indexof(RecipientEmailAddress, "@")+1) - | summarize total=count() by EmailDirection, domain, bin(Timestamp, 1d) - | order by Timestamp asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Mailflow%20by%20directionality.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml index 69336a8e718..a864dbd8fe2 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Malicious emails detected per day.yaml @@ -1,29 +1,4 @@ id: da932998-81dd-4be4-963c-f4890cb4192e name: Malicious emails detected per day description: | - This query helps reviewing Malware, Phishing, Spam emails caught per day -description-detailed: | - This query helps reviewing Malware, Phishing, Spam emails caught per day in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where DetectionMethods != "" - | extend detection= parse_json(DetectionMethods) - | extend Spam = tostring(detection.Spam) - | extend Phish = tostring(detection.Phish) - | extend Malware = tostring(detection.Malware) - | where Spam != '' or Phish != '' or Malware != '' - | extend detection = case( - Malware != "", 'Malware', - Phish != "", 'Phish', - 'Spam') - | summarize total=count() by detection, bin(Timestamp, 1d) - | order by Timestamp asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Malicious%20emails%20detected%20per%20day.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml index f7b901cf9d4..43e055d2078 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Sender recipient contact establishment.yaml @@ -1,35 +1,4 @@ id: b2beec6a-2c1c-4319-a191-e70c2ee42857 name: Sender recipient contact establishment description: | - This query helps in checking the sender-recipient contact establishment status -description-detailed: | - This query helps in checking the sender-recipient contact establishment status using Defender for Office 365 data -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let emailDelivered = EmailEvents - | where Timestamp < ago(30d) - and DeliveryAction == "Delivered" - and SenderDisplayName contains "Microsoft" - | summarize count() by SenderFromAddress - | where count_ > 3 // ensuring that some level of communications has occured. - | project SenderFromAddress; - EmailEvents - | where Timestamp > ago(24hrs) - | where DeliveryAction == "Delivered" - and EmailDirection == "Inbound" - and OrgLevelAction != "Block" - and UserLevelAction != "Block" - and SenderDisplayName contains "Microsoft" //Change the name here - | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true ) - | project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject - | join kind=leftanti ( emailDelivered ) on SenderFromAddress - | order by SenderMailFromAddress - | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Sender%20recipient%20contact%20establishment.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml index 0f38e332aa5..22900e20111 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 malicious email senders.yaml @@ -1,21 +1,4 @@ id: 12225f50-9d41-4b78-8269-cc127d98654c name: Top 100 malicious email senders description: | - This query helps reviewing top 100 malicious senders -description-detailed: | - This query helps reviewing top 100 senders sending malicious email in your organization in last 30 days using Defender for Office 365 data -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where ThreatTypes has "Phish" or ThreatTypes has "Malware" - | summarize total=count() by SenderMailFromAddress - | top 100 by total -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Top%20100%20malicious%20email%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml index 56acd61b385..feae1339316 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Top 100 senders.yaml @@ -1,20 +1,4 @@ id: cadf6e78-2a9a-4fb5-b788-30a592d699d3 name: Top 100 senders description: | - This query helps reviewing top 100 senders in your organization in last 30 days -description-detailed: | - This query helps reviewing top 100 senders in your organization in last 30 days using Defender for Office 365 data -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | summarize mailCountBySender = count() by SenderMailFromAddress - | top 100 by mailCountBySender -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Top%20100%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml index 92570b4efb7..294a91fbe8b 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Mailflow/Zero day threats.yaml @@ -1,20 +1,4 @@ id: 95b0c7ed-2853-4343-80a9-ab076cf31e51 name: Zero day threats description: | - This query helps reviewing zero day threats via URL and file detonations -description-detailed: | - This query helps reviewing zero day threats via URL and file detonations using Defender for Office 365 data -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where DetectionMethods has "URL Detonation" or DetectionMethods has "File Detonation" - | count -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Mailflow/Zero%20day%20threats.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml index 78770fe82a9..b768649ed62 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml @@ -1,30 +1,4 @@ id: 439f817c-845c-4dda-a8d9-5c1f6831cee9 name: Email containing malware accessed on a unmanaged device description: | - In this query, we are looking for emails containing malware accessed on a unmanaged device -description-detailed: | - In this query, we are looking for emails containing malware accessed on a unmanaged device by MDE. The query using multiple data sources across Defender XDR including Defender for Office 365 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailPostDeliveryEvents - - CloudAppEvents - - AADSignInEventsBeta -tactics: - - Execution -relevantTechniques: - - T1204 -query: | - EmailPostDeliveryEvents - | where ActionType == "Malware ZAP" - | project NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,ZAPReportId=ReportId,ZAPTimestamp=Timestamp - | join (CloudAppEvents | where ActionType == "MailItemsAccessed" - | extend RawEvent=parse_json(RawEventData) - | mv-expand RawEvent.Folders - | mv-expand RawEvent_Folders.FolderItems - | project SessionId=tostring(RawEvent.SessionId),InternetMessageId=tostring(parse_json(RawEvent_Folders_FolderItems).InternetMessageId),ActionTimestamp=Timestamp,ActionReportId=ReportId - ) on InternetMessageId - | where isnotempty(SessionId) - | join (AADSignInEventsBeta | where isempty(DeviceName) | distinct AccountUpn,SessionId) on SessionId - | project AccountUpn,NetworkMessageId,InternetMessageId,ActionType,ThreatTypes,DetectionMethods,SessionId,ReportId=ActionReportId,Timestamp=ActionTimestamp -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20containing%20malware%20accessed%20on%20a%20unmanaged%20device.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml index 1f62c3f7a71..4fa08d467ff 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email containing malware sent by an internal sender.yaml @@ -1,20 +1,4 @@ id: 07c85687-6dee-4266-9345-1e34de85d989 name: Email containing malware sent by an internal sender description: | - In this query, we are looking for emails containing malware attachment sent by an internal sender -description-detailed: | - In this query, we are looking for emails containing malware attachment sent by an internal sender using Defender for Office 365 data -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - LateralMovement -relevantTechniques: - - T1534 -query: | - EmailEvents - | where EmailDirection == "Intra-org" or EmailDirection == "Outbound" - | where ThreatTypes == "Malware" and SenderFromAddress !startswith "postmaster@" and SenderFromAddress !startswith "microsoftexchange" - | join (EmailAttachmentInfo | where isnotempty(ThreatTypes)) on NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20containing%20malware%20sent%20by%20an%20internal%20sender.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml index 11228a4bb19..f043e09c75c 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Email malware detection report.yaml @@ -1,26 +1,4 @@ id: 23dbd58b-23ce-42ae-b4d1-0dfdd35871ea name: Email malware detection report description: | - This query helps reviewing email malware detection cases -description-detailed: | - This query helps reviewing email malware detection cases in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailAttachmentInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where isnotempty(ThreatNames) - | join kind=inner EmailAttachmentInfo on NetworkMessageId - | extend ThreatFamilyAttachment = strcat(format_datetime(Timestamp,'yyyy-M-dd H:mm:ss'), " /", ThreatNames, " /", FileName, " /", NetworkMessageId) - | summarize ThreatFamily_wih_Attachment= make_list(ThreatFamilyAttachment) by RecipientEmailAddress - | extend Case = array_length(ThreatFamily_wih_Attachment) - | project RecipientEmailAddress, Case, ThreatFamily_wih_Attachment - | sort by Case desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Email%20malware%20detection%20report.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml index 1ac1617a435..66b80eaf5f6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by detection methods.yaml @@ -1,32 +1,4 @@ id: a3619c75-a927-4dbb-91cc-9adc55e95bda name: Malware detections by detection methods description: | - This query helps reviewing malware detections by detection methods -description-detailed: | - This query helps reviewing malware detections by detection methods in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where isnotempty(DetectionMethods) - | extend MDO_detection = parse_json(DetectionMethods) - | where MDO_detection.Malware in - ( - @'["File detonation reputation"]', - @'["File detonation"]', - @'["File reputation"]', - @'["Antimalware engine"]', - @'["URL malicious reputation"]', - @'["URL detonation reputation"]', - @'["URL detonation"]' - ) - | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4) - | project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Malware -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Malware/Malware%20detections%20by%20detection%20methods.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml index 5ebf204e44c..7724b51cec0 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Admin overrides.yaml @@ -1,21 +1,4 @@ id: fd68706e-8e3e-4ccd-9230-1f267bdad4c8 name: Admin overrides description: | - This query helps in reviewing malicious emails allowed due to admin overrides -description-detailed: | - This query helps in reviewing malicious emails allowed due to admin defined detection overrides in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - EmailEvents - | where DeliveryLocation == "Inbox/folder" - | where isnotempty(ThreatTypes) and OrgLevelAction == "Allow" - | count -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Admin%20overrides.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml index af30ca7a214..89c68d789e4 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing admin overrides.yaml @@ -1,20 +1,4 @@ id: c73ae295-d120-4f79-aaed-de005f766ad2 name: Top policies performing admin overrides description: | - This query helps in reviewing top policies for admin overrides (Allow/Block) -description-detailed: | - This query helps in reviewing top policies for admin defined detection overrides (Allow/Block)in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - EmailEvents - | where Timestamp > ago(30d) and OrgLevelPolicy!="" and OrgLevelAction == "Allow" //"Block" - | summarize count() by OrgLevelPolicy -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Top%20policies%20performing%20admin%20overrides.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml index 7f1dc112106..c7e00025985 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/Top policies performing user overrides.yaml @@ -1,20 +1,4 @@ id: fe2cb53e-4eb3-4676-87c1-f80d2813f542 name: Top policies performing user overrides description: | - This query helps in reviewing top policies for user overrides (Allow/Block) -description-detailed: | - This query helps in reviewing top policies for user defined detection overrides (Allow/Block)in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - EmailEvents - | where Timestamp > ago(30d) and UserLevelPolicy!="" and UserLevelAction == "Allow" //"Block" - | summarize count() by UserLevelPolicy -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/Top%20policies%20performing%20user%20overrides.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml index cb4c06ce199..efd7e7d4e75 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Overrides/User overrides.yaml @@ -1,21 +1,4 @@ id: b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9 name: User overrides description: | - This query helps in reviewing malicious emails allowed due to user overrides -description-detailed: | - This query helps in reviewing malicious emails allowed due to user defined detection overrides in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/step-by-step-guides/understand-overrides-in-email-entity and https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-part-five-mastering/ba-p/4139035 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - DefenseEvasion -relevantTechniques: - - T1562 -query: | - EmailEvents - | where DeliveryLocation == "Inbox/folder" - | where isnotempty(ThreatTypes) and UserLevelAction == "Allow" - | count -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Overrides/User%20overrides.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml index 557a0585c42..38cac5cdbc0 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/Appspot phishing abuse.yaml @@ -1,31 +1,4 @@ id: cdac93ef-56c0-45bf-9e7f-9cbf0ad06808 name: Appspot Phishing Abuse description: | - This query helps surface phishing campaigns associated with Appspot abuse. -description-detailed: | - This query helps surface phishing campaigns associated with Appspot abuse. These emails frequently contain phishing links that utilize the recipients' own email address as a unique identifier in the URI. - This campaign was published on Twitter by @MsftSecIntel at this link: https://twitter.com/MsftSecIntel/status/1374148156301004800 - Reference - https://twitter.com/MsftSecIntel -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailUrlInfo - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailUrlInfo - // Detect URLs with a subdomain on appspot.com - | where UrlDomain matches regex @'\b[\w\-]+-dot-[\w\-\.]+\.appspot\.com\b' - // Enrich results with sender and recipient data - | join kind=inner EmailEvents on $left.NetworkMessageId==$right.NetworkMessageId - // Phishing attempts from Appspot related campaigns typically contain the recipient's email address in the URI - // Example 1: https://example-dot-example.appspot.com/#recipient@domain.com - // Example 2: https://example-dot-example.appspot.com/index.html?user=recipient@domain.com - | where Url has RecipientEmailAddress - // Some phishing campaigns pass recipient email as a Base64 encoded string in the URI - or Url has base64_encode_tostring(RecipientEmailAddress) - | project-away Timestamp1, NetworkMessageId1, ReportId1 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Phish/Appspot%20phishing%20abuse.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml index 8f85f9baca2..2634a11dc0a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml @@ -1,39 +1,4 @@ id: 9d59be10-54d9-478b-b669-fb4eb8517cd0 name: Phish detections by detection methods description: | - This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days -description-detailed: | - This query helps reviewing Phish detections done by some of the most frequent detection technologies in the last 7 days in Defender for Office 365 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(7d) - | where isnotempty(DetectionMethods) - | extend MDO_detection = parse_json(DetectionMethods) - | where MDO_detection.Phish in - ( - @'["URL malicious reputation"]', - @'["URL detonation reputation"]', - @'["URL detonation"]', - @'["Advanced filter"]', - @'["General filter"]', - @'["Spoof intra-org"]', - @'["Spoof external domain"]', - @'["Spoof DMARC"]', - @'["Impersonation brand"]', - @'["Mixed analysis detection"]', - @'["File reputation"]', - @'["File detonation reputation"]', - @'["File detonation"]', - @'["Fingerprint matching"]' - ) - | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4) - | project Timestamp, NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, DeliveryLocation, MDO_detection.Phish -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Phish/PhishDetectionByDetectionMethod.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml index d57803288be..47fe4b44094 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with randomly named attachments.yaml @@ -1,24 +1,4 @@ id: 25150085-015a-4673-9b67-bc6ad9475500 name: Campaign with randomly named attachments description: | - In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients -description-detailed: | - In this detection,we hunt for emails with randomly named attachment names from the same sender to multiple recipients using Defender for Office 365 data, typically more than 50, can potentially indicate a QR code phishing campaign. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailAttachmentInfo - | where Timestamp > ago(7d) - | where FileType in ("png", "jpg", "jpeg", "gif", "svg") - | where isnotempty(FileName) - | extend firstFourFileName = substring(FileName, 0, 4) - | summarize RecipientsCount = dcount(RecipientEmailAddress), FirstFourFilesCount = dcount(firstFourFileName), suspiciousEmails = make_set(NetworkMessageId, 10) by SenderFromAddress - | where FirstFourFilesCount >= 10 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Campaign%20with%20randomly%20named%20attachments.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml index 0ef5dde9857..6f9b8a86104 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Campaign with suspicious keywords.yaml @@ -1,25 +1,4 @@ id: 9b086a51-e396-4718-90d7-f7b3646e6581 name: Campaign with suspicious keywords description: | - In this detection, we track emails with suspicious keywords in subjects. -description-detailed: | - In this detection, we track emails with suspicious keywords in subjects using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let PhishingKeywords = () - {pack_array("account", "alert", "bank", "billing", "card", "change", "confirmation","login", "password", "mfa", "authorize", "authenticate", "payment", "urgent", "verify", "blocked");}; - EmailEvents - | where Timestamp > ago(1d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | where isempty(SenderObjectId) - | where Subject has_any (PhishingKeywords()) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Campaign%20with%20suspicious%20keywords.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml index 9c4aa61e48c..80ccb925cdd 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml @@ -1,51 +1,4 @@ id: 516046e8-a460-4f7b-86eb-421d3a9cdff1 name: Custom detection-Emails with QR from non-prevalent senders description: | - In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code -description-detailed: | - In this detection, we check the sender prevalence over the last 14 days and use the same to detect malicious activity via email containing QR code using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let QRCode_emails = EmailUrlInfo - | where Timestamp > ago (2d) - | where UrlLocation == "QRCode" - | distinct Url,NetworkMessageId; - let nMIDs = QRCode_emails | distinct NetworkMessageId; - // Extracting sender of the email with QRCode: - let senders_NMIDs = EmailEvents - | where Timestamp > ago (2d) - | where DeliveryAction != "Blocked" // Only delivered or Junked emails are interesting - | where isnotempty(NetworkMessageId) - | where NetworkMessageId in (nMIDs) - | distinct Timestamp, NetworkMessageId, RecipientEmailAddress, SenderFromAddress, InternetMessageId, RecipientObjectId, ReportId; - let senders = senders_NMIDs - | distinct SenderFromAddress; - // Checking sender prevalence in the organization - let senderprevalence = EmailEvents - | where Timestamp between (ago(14d)..(now()-24h)) - | where isnotempty(SenderFromAddress) - | where SenderFromAddress in (senders) - | summarize TotalEmailCount = count() by SenderFromAddress - | where TotalEmailCount > 1; - let prevalent_Sender = senderprevalence - | where isnotempty (SenderFromAddress) - | distinct SenderFromAddress; - // Checking where email sender was not prevalent. - let nMIDs_from_non_prevalent_Senders = senders_NMIDs - | where SenderFromAddress !in (prevalent_Sender) - | distinct NetworkMessageId; - let QRCode_emails_from_non_prevalent_senders = QRCode_emails - | where NetworkMessageId in (nMIDs_from_non_prevalent_Senders) - | join kind=inner senders_NMIDs on NetworkMessageId - | project Timestamp,Url,NetworkMessageId, InternetMessageId, RecipientObjectId,RecipientEmailAddress, ReportId; - QRCode_emails_from_non_prevalent_senders -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Custom%20detection-Emails%20with%20QR%20from%20non-prevalent%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml index aa174855f68..3db6a34d930 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml @@ -1,25 +1,4 @@ id: 594fe5a1-53b6-466b-86df-028366c3994e name: Emails delivered having URLs from QR codes description: | - In this query, we hunt for inbound emails delivered having URLs from QR codes -description-detailed: | - In this query, we hunt for inbound emails delivered having URLs from QR codes using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | join EmailUrlInfo on NetworkMessageId - | where UrlLocation == "QRCode" - | project Timestamp, NetworkMessageId, SenderFromAddress, Subject, Url, UrlDomain, UrlLocation,RecipientEmailAddress -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20delivered%20having%20URLs%20from%20QR%20codes.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml index c5c3870f86f..cf65c6bc36f 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml @@ -1,27 +1,4 @@ id: 706b711a-7622-40f1-9ebb-331d1a0ff697 name: Emails with QR codes and suspicious keywords in subject description: | - In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject -description-detailed: | - In this query, we hunt for inbound emails having URLs from QR codes and suspicious keywords in subject using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let SubjectKeywords = () - {pack_array("authorize", "authenticate", "account", "confirmation", "QR", "login", "password", "payment", "urgent", "verify");}; - EmailEvents - | where Timestamp > ago(30d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | where Subject has_any (SubjectKeywords) - | join EmailUrlInfo on NetworkMessageId - | where UrlLocation == "QRCode" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20with%20QR%20codes%20and%20suspicious%20keywords%20in%20subject.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml index 75848be8718..00dfe196733 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml @@ -1,36 +1,4 @@ id: f708c866-073a-4107-a60b-ba6f86e54caa name: Emails with QR codes from non-prevalent sender description: | - In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders -description-detailed: | - In this query, we hunt for inbound emails having URLs from QR codes and send by non-prevalent senders using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let senderprevalence = - EmailEvents - | where Timestamp between (ago(7d)..(now()-24h)) - | where isnotempty(SenderFromAddress) - | summarize TotalEmailCount = dcount(NetworkMessageId) by SenderFromAddress - | where TotalEmailCount > 1; - let prevalent_Sender = senderprevalence - | where isnotempty (SenderFromAddress) - | distinct SenderFromAddress; - let QR_from_non_prevalent = - EmailEvents - | where EmailDirection == "Inbound" - | where Timestamp > ago(1d) - | where SenderFromAddress !in (prevalent_Sender) - | join EmailUrlInfo on NetworkMessageId - | where UrlLocation == "QRCode" - | distinct SenderFromAddress,Url,NetworkMessageId; - QR_from_non_prevalent -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Emails%20with%20QR%20codes%20from%20non-prevalent%20sender.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml index 021f41bc3db..6e947ec8e16 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for sender patterns.yaml @@ -1,47 +1,4 @@ id: 68aa199c-259b-4bb0-8e7a-8ed6f96c5525 name: Hunting for sender patterns description: | - In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents -description-detailed: | - In this detection approach, we correlate email from non-prevalent senders in the organization with impersonation intents using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailAttachmentInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let PhishingSenderDisplayNames = () - { - pack_array("IT", "support", "Payroll", "HR", "admin", "2FA", "notification", "sign", "reminder", "consent", "workplace", - "administrator", "administration", "benefits", "employee", "update", "on behalf"); - }; - let suspiciousEmails = EmailEvents - | where Timestamp > ago(1d) - | where isnotempty(RecipientObjectId) - | where isnotempty(SenderFromAddress) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | join kind=inner (EmailAttachmentInfo - | where Timestamp > ago(1d) - | where isempty(SenderObjectId) - | where FileType has_any ("png", "jpg", "jpeg", "bmp", "gif") - ) on NetworkMessageId - | where SenderDisplayName has_any (PhishingSenderDisplayNames()) - | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId; - let suspiciousSenders = suspiciousEmails | distinct SenderFromDomain; - let prevalentSenders = materialize(EmailEvents - | where Timestamp between (ago(7d) .. ago(1d)) - | where isnotempty(RecipientObjectId) - | where isnotempty(SenderFromAddress) - | where SenderFromDomain in (suspiciousSenders) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | distinct SenderFromDomain); - suspiciousEmails - | where SenderFromDomain !in (prevalentSenders) - | project Timestamp, Subject, FileName, SenderFromDomain, RecipientObjectId, NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Hunting%20for%20sender%20patterns.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml index f251a00ca33..e229f40293d 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Hunting for user signals-clusters.yaml @@ -1,26 +1,4 @@ id: 8c852f12-499f-499b-afc1-25c50aa9b462 name: Hunting for user signals-clusters description: | - In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. -description-detailed: | - In this detection,we use Email reported by user as malware or phish MDO alert as a starting point to identify the scope of a campaign. We use Emails with similar content are clustered by MDO together and the cluster ID is populated in the EmailClusterId field in EmailEvents table using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let suspiciousClusters = EmailEvents - | where Timestamp > ago(7d) - | where EmailDirection == "Inbound" - | where NetworkMessageId in ("5ff15b1f-d731-4625-4c1c-08dc8615943f","00ff0916-1263-428c-a558-08dc86a6d3cd") // - | distinct EmailClusterId; - EmailEvents - | where Timestamp > ago(7d) - | where EmailDirection == "Inbound" - | where EmailClusterId in (suspiciousClusters) - | summarize make_set(Subject), make_set(SenderFromDomain), dcount(RecipientObjectId),dcount(SenderDisplayName) by EmailClusterId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Hunting%20for%20user%20signals-clusters.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml index 6a06e213170..50c6b1e3beb 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Inbound emails with QR code URLs.yaml @@ -1,25 +1,4 @@ id: f6354c94-3a95-4235-8530-414f016a7bf6 name: Inbound emails with QR code URLs description: | - In this query, we summarize volume of inbound emails with QR code URLs in last 30 days -description-detailed: | - In this query, we summarize volume of inbound emails with QR code URLs in last 30 days using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where EmailDirection == "Inbound" - | join EmailUrlInfo on NetworkMessageId - | where UrlLocation == "QRCode" - | summarize dcount(NetworkMessageId) by bin(Timestamp, 1d) - | render timechart -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Inbound%20emails%20with%20QR%20code%20URLs.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml index a5e3f88b14d..dbb8d85d564 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml @@ -1,25 +1,4 @@ id: dc7e1eb5-16f5-4ad5-96a1-794970f4b310 name: Personalized campaigns based on the first few keywords description: | - In this detection, we track emails with personalized subjects. -description-detailed: | - In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where the first three words of the subject are the same, but the other values are personalized/unique. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(1d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | where isempty(SenderObjectId) - | extend words = split(Subject," ") - | project firstWord = tostring(words[0]), secondWord = tostring(words[1]), thirdWord = tostring(words[2]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId - | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstWord, secondWord, thirdWord, SenderFromAddress - | where SubjectsCount >= 10 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Personalized%20campaigns%20based%20on%20the%20first%20few%20keywords.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml index 14ce1a2eb7e..69d230043cf 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml @@ -1,25 +1,4 @@ id: 54d3455d-27e0-4ceb-99f9-375abd620151 name: Personalized campaigns based on the last few keywords description: | - In this detection, we track emails with personalized subjects. -description-detailed: | - In this detection, we track emails with personalized subjects using Defender for Office 365 data. To detect personalized subjects, we track campaigns where last three words of the subject are the same, but the other values are personalized/unique. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(1d) - | where EmailDirection == "Inbound" - | where DeliveryAction == "Delivered" - | where isempty(SenderObjectId) - | extend words = split(Subject," ") - | project firstLastWord = tostring(words[-1]), secondLastWord = tostring(words[-2]), thirdLastWord = tostring(words[-3]), Subject, SenderFromAddress, RecipientEmailAddress, NetworkMessageId - | summarize SubjectsCount = dcount(Subject), RecipientsCount = dcount(RecipientEmailAddress), suspiciousEmails = make_set(NetworkMessageId, 10) by firstLastWord, secondLastWord, thirdLastWord, SenderFromAddress - | where SubjectsCount >= 10 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Personalized%20campaigns%20based%20on%20the%20last%20few%20keywords.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml index 0a596fcf021..38af94e2954 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml @@ -1,31 +1,4 @@ id: 8d298b5c-feca-4add-bd42-e43e0a317a88 name: Risky sign-in attempt from a non-managed device description: | - In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device. -description-detailed: | - In this detection,we hunt for any sign-in attempt from a non-managed, non-compliant, untrusted device as this can be taken into consideration, and a risk score for the sign-in attempt increases the anomalous nature of the activity. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - AADSignInEventsBeta - | where Timestamp > ago(7d) - | where IsManaged != 1 - | where IsCompliant != 1 - //Filtering only for medium and high risk sign-in - | where RiskLevelDuringSignIn in (50, 100) - | where ClientAppUsed == "Browser" - | where isempty(DeviceTrustType) - | where isnotempty(State) or isnotempty(Country) or isnotempty(City) - | where isnotempty(IPAddress) - | where isnotempty(AccountObjectId) - | where isempty(DeviceName) - | where isempty(AadDeviceId) - | project Timestamp,IPAddress, AccountObjectId, ApplicationId, SessionId, RiskLevelDuringSignIn -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Risky%20sign-in%20attempt%20from%20a%20non-managed%20device.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml index 7b8e893aa13..8265d48d50b 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml @@ -1,47 +1,4 @@ id: 3131d0ba-32c9-483e-a25c-82e26a07e116 name: Suspicious sign-in attempts from QR code phishing campaigns description: | - This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices. -description-detailed: | - This detection approach correlates a user accessing an email with image/document attachments and a risky sign-in attempt from non-trusted devices in closer proximity and validates if the location from where the email item was accessed is different from the location of sign-in attempt. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/hunting-and-responding-to-qr-code-based-phishing-attacks-with/ba-p/4074730 -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents - - AADSignInEventsBeta -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let successfulRiskySignIn = materialize(AADSignInEventsBeta - | where Timestamp > ago(1d) - | where isempty(DeviceTrustType) - | where IsManaged != 1 - | where IsCompliant != 1 - | where RiskLevelDuringSignIn in (50, 100) - | project Timestamp, ReportId, IPAddress, AccountUpn, AccountObjectId, SessionId, Country, State, City - ); - let suspiciousSignInUsers = successfulRiskySignIn - | distinct AccountObjectId; - let suspiciousSignInIPs = successfulRiskySignIn - | distinct IPAddress; - let suspiciousSignInCities = successfulRiskySignIn - | distinct City; - CloudAppEvents - | where Timestamp > ago(1d) - | where ActionType == "MailItemsAccessed" - | where AccountObjectId in (suspiciousSignInUsers) - | where IPAddress !in (suspiciousSignInIPs) - | where City !in (suspiciousSignInCities) - | join kind=inner successfulRiskySignIn on AccountObjectId - | where AccountObjectId in (suspiciousSignInUsers) - | where (Timestamp - Timestamp1) between (-5min .. 5min) - | extend folders = RawEventData.Folders - | mv-expand folders - | extend items = folders.FolderItems - | mv-expand items - | extend InternetMessageId = tostring(items.InternetMessageId) - | project Timestamp, ReportId, IPAddress, InternetMessageId, AccountObjectId, SessionId, Country, State, City -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/QR%20code/Suspicious%20sign-in%20attempts%20from%20QR%20code%20phishing%20campaigns.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml index 5bb855719ed..57d4440e9f6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Group quarantine release.yaml @@ -1,24 +1,4 @@ id: a12cac64-ea6d-46d4-91a6-262b165fb9ad name: Group quarantine release description: | - This query helps in reviewing group Quarantine released messages by detection type. Useful to see what is leading to the largest number of messages being released. -description-detailed: | - This query helps in reviewing group Quarantine released messages by detection type in Defender for Office 365. Useful to see what is leading to the largest number of messages being released. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where ActionType == "QuarantineReleaseMessage" - | extend parsed=parse_json(RawEventData) - | extend NetworkMessageId = tostring(parsed.NetworkMessageId) - | join EmailEvents on NetworkMessageId - | summarize count() by DetectionMethods - | order by count_ desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Group%20quarantine%20release.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml index 023ece25ab7..a6ec216a6eb 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/High Confidence Phish Released.yaml @@ -1,27 +1,4 @@ id: 9e8faa62-7222-48a5-a78f-ef2d22f866dc name: High Confidence Phish Released description: | - This query shows information about high confidence phish email that has been released from the Quarantine. -description-detailed: | - This query shows information about high confidence phish email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where ActionType == "QuarantineReleaseMessage" - | project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo - | join kind=inner ( - EmailEvents - | where todynamic(ConfidenceLevel).Phish == "High" - | project-rename EmailTime = Timestamp - ) on NetworkMessageId - | project-away NetworkMessageId1 - | order by ReleaseTime asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/High%20Confidence%20Phish%20Released.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml index a0a2020e247..749d55b23fb 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Release Email Details.yaml @@ -1,27 +1,4 @@ id: 6f96f6d7-d972-421e-a59f-6b9a8de81324 name: Quarantine Release Email Details description: | - This query shows information about email that has been released from the Quarantine in Defender for Office 365. -description-detailed: | - This query shows information about email that has been released from the Quarantine in Defender for Office 365. The details include the time each email was released and who it was released by. - Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where ActionType == "QuarantineReleaseMessage" - | project ReleaseTime = Timestamp, ResultStatus = RawEventData.ResultStatus, ActionType, ReleasedBy = tostring(RawEventData.UserId), NetworkMessageId = tostring(RawEventData.NetworkMessageId), ReleaseTo = RawEventData.ReleaseTo - | join kind=inner ( - EmailEvents - | project-rename EmailTime = Timestamp - ) on NetworkMessageId - | project-away NetworkMessageId1 - | order by ReleaseTime asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Quarantine%20Release%20Email%20Details.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml index 595cc35d1e9..b3851374ce1 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml @@ -1,22 +1,4 @@ id: 9f135aef-ad25-4df2-bdab-8399978a36a2 name: Quarantine release trend description: | - This query helps reviewing quarantine release trend in Defender for Office 365 -description-detailed: | - This query helps reviewing quarantine release trend in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/quarantine-admin-manage-messages-files -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where ActionType == "QuarantineReleaseMessage" - | summarize count() by bin(Timestamp, 1d) - | project-rename Releases = count_ - | render timechart with (title="Qurantine Releases by Day") -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Quarantine/Quarantine%20release%20trend.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml index b193cdab50e..0b44a1ef43a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Remediation/Email remediation action list.yaml @@ -1,33 +1,4 @@ id: 99713387-9d61-49eb-8edc-f51153d8bb01 name: Listing Email Remediation Actions via Explorer description: | - Listing Email Remediation Actions performed via Explorer in Defender for Office 365 -description-detailed: | - Listing Email Remediation Actions performed via Explorer in Defender for Office 365 - - Track each cases with Network Message ID - - Sort the users who got a number of actions - - e.g. Soft Delete, Hard Delete, Move to junk folder, Move to deleted items -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where LatestDeliveryAction in ("Hard delete", "Soft delete", "Moved to junk folder", "Moved to deleted items") - | summarize HardDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Hard delete"), - SoftDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Soft delete"), - MoveToJunk_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to junk folder"), - MoveToDelete_NetworkID = make_list_if(strcat(NetworkMessageId, @"\", Timestamp,@"\", Subject), LatestDeliveryAction == "Moved to deleted items") by RecipientEmailAddress - | extend HardDelete_case = array_length(HardDelete_NetworkID) - | extend SoftDelete_case = array_length(SoftDelete_NetworkID) - | extend MoveToJunk_case = array_length(MoveToJunk_NetworkID) - | extend MoveToDelete_case = array_length(MoveToDelete_NetworkID) - | extend Sum_case = HardDelete_case + SoftDelete_case + MoveToJunk_case + MoveToDelete_case - | project RecipientEmailAddress, Sum_case, HardDelete_case, SoftDelete_case, MoveToJunk_case, MoveToDelete_case, HardDelete_NetworkID, SoftDelete_NetworkID, MoveToJunk_NetworkID, MoveToDelete_NetworkID - | order by Sum_case desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Remediation/Email%20remediation%20action%20list.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml index ad4ed66303d..1f6abd4fa16 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml @@ -1,35 +1,4 @@ id: 6a570927-8638-4a6f-ac09-72a7d51ffa3c name: Display Name - Spoof and Impersonation description: | - This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name -description-detailed: | - This query helps reviewing incoming email messages where the Display Name of the sender contains own or other partner company/brand name using Defender for Office 365 Data -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let emailDelivered = EmailEvents - | where Timestamp < ago(24hrs) - and DeliveryAction == "Delivered" - and SenderDisplayName contains "Microsoft" - | summarize count() by SenderFromAddress - | where count_ > 3 // ensuring that some level of communications has occurred. - | project SenderFromAddress; - EmailEvents - | where Timestamp > ago(24hrs) - | where DeliveryAction == "Delivered" - and EmailDirection == "Inbound" - and OrgLevelAction != "Block" - and UserLevelAction != "Block" - and SenderDisplayName contains "Microsoft" - | extend NewMsg = case(Subject contains "RE:", false, Subject contains "FW:", false, true ) - | project SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject - | join kind=leftanti ( emailDelivered ) on SenderFromAddress - | order by SenderMailFromAddress - | summarize count() by SenderDisplayName, SenderFromAddress, NetworkMessageId, SenderMailFromAddress, RecipientEmailAddress, DeliveryAction, DeliveryLocation, ThreatTypes, DetectionMethods, NewMsg, Subject -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Display%20Name%20-%20Spoof%20and%20Impersonation.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml index c59b75f3048..490469c12c2 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Referral phish emails.yaml @@ -1,27 +1,4 @@ id: cdc4da1c-64a1-4941-be59-1f5cc85481ab name: referral-phish-emails description: | - Hunting for credential phishing using the "Referral" infrastructure using Defender for Office 365 data -description-detailed: | - The "Referral" infrastructure is a point-in-time set of infrastructure associated with spoofed emails that imitate SharePoint and other legitimate products to conduct credential phishing. The operator is also known to use legitimate URL infrastructure such as Google, Microsoft, and Digital Ocean to host their phishing pages. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let EmailAddresses = pack_array - ('zreffertalt.com.com','zreffesral.com.com','kzreffertal.com.com', - 'wzreffertal.com.com','refferal.comq','refferal.net','zreffertal.com.com', - 'zrefferal.com.com','refferasl.com.com','zreffesral.com','zrefsfertal.com.com', - 'irefferal.com','refferasl.co','zrefferal.com'); - EmailEvents - | where SenderMailFromDomain in (EmailAddresses) - | extend RecipientDomain = extract("[^@]+$", 0, RecipientEmailAddress) - | where SenderFromDomain == RecipientDomain - | join EmailUrlInfo on $left.NetworkMessageId == $right.NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Referral%20phish%20emails.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml index a846b40c439..70842c8038c 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml @@ -1,21 +1,4 @@ id: b3180ac0-6d94-494a-8b8c-fcc84319ea6e name: Spoof and impersonation detections by sender IP description: | - This query helps reviewing count of spoof and impersonation detections done per sender IP -description-detailed: | - This query helps reviewing count of spoof and impersonation detections done per sender IP using Defender for Office 365 data. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - |where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation") - | project Timestamp, EmailDirection, SenderFromAddress, AdditionalFields, SenderIPv4 - | summarize count() by SenderIPv4 -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Spoof%20and%20impersonation%20detections%20by%20sender%20IP.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml index e5e609c3044..e57b15bfbf7 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml @@ -1,22 +1,4 @@ id: 011c3d48-f6ca-405f-9763-66c7856ad2ba name: Spoof and impersonation phish detections description: | - This query helps reviewing count of phish detections done by spoof detection methods -description-detailed: | - This query helps reviewing count of phish detections done by spoof detection methods in Defender for Office 365. - Reference - https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/email-protection-basics-in-microsoft-365-spoof-and-impersonation/ba-p/3562938#:~:text=It%20detects%20impersonation%20based%20on%20each%20user%E2%80%99s%20individual -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - |where Timestamp > ago (30d) and (DetectionMethods contains 'spoof' or DetectionMethods contains "impersonation") - | project Timestamp, AR=parse_json(ThreatTypes) , DT=parse_json(DetectionMethods), EmailDirection, SenderFromAddress - | evaluate bag_unpack(DT) - | summarize count() by tostring(Phish) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/Spoof%20and%20impersonation%20phish%20detections.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml index 02b7a73635d..51edd4fd13b 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml @@ -1,28 +1,4 @@ id: e90345b3-439c-44e1-a85d-8ae84ad9c65b name: User not covered under display name impersonation description: | - This query helps to find threats using display name impersonation for users not already protected with User Impersonation -description-detailed: | - This query helps to find threats using display name impersonation for users not already protected with User Impersonation -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - IdentityInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let display_names = - IdentityInfo - | summarize by AccountDisplayName - | project-rename SenderDisplayName = AccountDisplayName; - EmailEvents - | where EmailDirection == "Inbound" - | where ThreatNames != "" - | where ThreatNames !contains "Impersonation User" - | lookup kind=inner (display_names) on SenderDisplayName, $left.SenderDisplayName == $right.SenderDisplayName - | where SenderDisplayName != "" - | summarize by SenderDisplayName -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Spoof%20and%20Impersonation/User%20not%20covered%20under%20display%20name%20impersonation.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml index 1fcd30d2942..6d08dba8b05 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Admin reported submissions.yaml @@ -1,22 +1,4 @@ id: 71aeb41d-c85c-4569-bb08-6f1cd38bca49 name: Admin reported submissions description: | - This query helps reviewing admin reported email submissions -description-detailed: | - This query helps reviewing admin reported email submissions in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | where Record == 29 - | where ActionType == "AdminSubmission" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Admin%20reported%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml index 0c6e9b3fe04..9bfe08b43f6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Status of submissions.yaml @@ -1,25 +1,4 @@ id: 1c390fd7-2668-4445-9b7d-055f3851be5f name: Status of submissions description: | - This query helps reviewing status of submissions -description-detailed: | - This query helps reviewing status of submissions in Defender for Office 365. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | extend UserKey = (parse_json(RawEventData)).UserKey - | where Record == 29 - | where ActionType == "UserSubmission" or ActionType == "AdminSubmission" - | summarize count() by tostring(SubmissionState) - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Status%20of%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml index dd461795c5c..d5294dfb592 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of admin submissions.yaml @@ -1,25 +1,4 @@ id: 2d2351ca-e9a6-4286-b445-a9268189c1dc name: Top submitters of admin submissions description: | - This query helps reviewing top submitters of admin submissions -description-detailed: | - This query helps reviewing top submitters of admin submissions in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | extend UserKey = (parse_json(RawEventData)).UserKey - | where Record == 29 - | where ActionType == "AdminSubmission" - | summarize count() by tostring(UserKey) - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Top%20submitters%20of%20admin%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml index 47eb25afd28..2ac20f440b3 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/Top submitters of user submissions.yaml @@ -1,25 +1,4 @@ id: 8c9bc29b-f32a-49fe-8fe8-450479f4130f name: Top submitters of user submissions description: | - This query helps reviewing top submitters of user submissions -description-detailed: | - This query helps reviewing top submitters of user submissions in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | extend UserKey = (parse_json(RawEventData)).UserKey - | where Record == 29 - | where ActionType == "UserSubmission" - | summarize count() by tostring(UserKey) - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/Top%20submitters%20of%20user%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml index 7bd93ee72a1..66a810fd7a3 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Submissions/User reported submissions.yaml @@ -1,22 +1,4 @@ id: 0bd33643-c517-48b1-8211-25a7fbd15a50 name: User reported submissions description: | - This query helps reviewing user reported email submissions -description-detailed: | - This query helps reviewing user reported email submissions in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - CloudAppEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - CloudAppEvents - | where Timestamp > ago(30d) - | extend Record= (parse_json(RawEventData)).RecordType - | extend SubmissionState = (parse_json(RawEventData)).SubmissionState - | where Record == 29 - | where ActionType == "UserSubmission" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Submissions/User%20reported%20submissions.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml index 016aa34627f..76213554372 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Attacked more than x times average.yaml @@ -1,24 +1,4 @@ id: de480ca4-4095-4fef-b3e7-2a3f17f24e78 name: Attacked more than x times average description: | - This query helps reviewing count of users attacked more than x times average. -description-detailed: | - This query helps reviewing count of users attacked more than x times average using Defender for Office 365 data. Update the value of x in the query to get desired results. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let AverageThreatPerRecipient = toscalar(EmailEvents - | where DetectionMethods != "" - | summarize total=count() by RecipientEmailAddress - | summarize avg(total)); - EmailEvents - | where DetectionMethods != "" - | summarize total=count() by RecipientEmailAddress - | where tolong(total) >= 1*AverageThreatPerRecipient // update "1" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Attacked%20more%20than%20x%20times%20average.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml index 3155eca2cc5..fdf14b77d4a 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml @@ -1,21 +1,4 @@ id: a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27 name: Malicious mails by sender IPs description: | - This query helps reviewing sender IPs sending malicious email of type Malware or Phish -description-detailed: | - This query helps reviewing sender IPs sending malicious email of type Malware or Phish using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where ThreatTypes has "Phish" or ThreatTypes has "Malware" - | summarize count() by SenderIPv4 //SenderIPv6 - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Malicious%20mails%20by%20sender%20IPs.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml index c3c732a0424..068308325c6 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml @@ -1,27 +1,4 @@ id: 27ee28e7-423b-48c9-a410-cbc6c8e21d25 name: Top 10 URL domains attacking organization description: | - This query helps reviewing list of top 10 URL domains attacking the organization -description-detailed: | - This query helps reviewing list of top 10 URL domains attacking the organization using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where ThreatTypes != "" - | extend detection= parse_json(DetectionMethods) - | extend Spam = tostring(detection.Spam) - | extend Phish = tostring(detection.Phish) - | where (Spam == '["URL malicious reputation"]') or (Phish == '["URL malicious reputation"]') or (Phish == '["URL detonation reputation"]') or (Phish == '["URL detonation"]') - | join EmailUrlInfo on NetworkMessageId - | summarize total=count() by UrlDomain - | top 10 by total - | render columnchart -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%2010%20URL%20domains%20attacking%20organization.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml index cf806f90a37..2bc82938c19 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml @@ -1,25 +1,4 @@ id: e3b7b5c1-0e50-4dfb-b73a-c226636eaf58 name: Top 10% of most attacked users description: | - This query helps reviewing the list of top 10% of most attacked users -description-detailed: | - This query helps reviewing the list of top 10% of most attacked users using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let topTargeted = toscalar( EmailEvents - | where DetectionMethods != "" - | summarize total=count() by RecipientEmailAddress - | summarize percentiles(total,90)); - EmailEvents - | where DetectionMethods != "" - | summarize total=count() by RecipientEmailAddress - | where total >= topTargeted - | order by total desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%2010%20percent%20of%20most%20attacked%20users.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml index 7fa9cf13725..c3b61ee58e9 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top external malicious senders.yaml @@ -1,21 +1,4 @@ id: 9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2 name: Top external malicious senders description: | - This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days -description-detailed: | - This query helps reviewing external top malicious email sender with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where EmailDirection == "Inbound" - | summarize count() by SenderFromAddress - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%20external%20malicious%20senders.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml index ba4fc6da181..fdbc333dbf2 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/Top Attacks/Top targeted users.yaml @@ -1,21 +1,4 @@ id: a1664330-810a-473b-b354-acbaa751a294 name: Top targeted users description: | - This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days -description-detailed: | - This query helps reviewing top targeted users with malware or phishing emails in an organization in last 30 days using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where Timestamp > ago(30d) - | where ThreatTypes has "Malware" or ThreatTypes has "Phish" - | summarize count() by RecipientEmailAddress - | sort by count_ -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Top%20Attacks/Top%20targeted%20users.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml index 65d69bfd6ad..577a39d3b0d 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/End user malicious clicks.yaml @@ -1,24 +1,4 @@ id: d24e9c4a-b72a-4a85-89cd-83760ae61155 name: End user malicious clicks description: | - This query helps reviewing list of top users click on Phis URLs -description-detailed: | - This query helps reviewing list of top users click on Phis URLs using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | where ThreatTypes contains "Phish" - | extend UrlBlocked = ActionType has_any("ClickBlocked") - | extend UrlAllowed = ActionType has_any('ClickAllowed') - | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') - | extend ErrorPage = ActionType has_any('UrlErrorPage') - | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by AccountUpn - | sort by Blocked desc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/End%20user%20malicious%20clicks.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml index 4b7e4995da8..c99a4224e92 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click count by click action.yaml @@ -1,22 +1,4 @@ id: 3f007cdc-86bf-4657-9015-05101a3e54f5 name: URL click count by click action description: | - This query helps reviewing URL click count by ClickAction -description-detailed: | - This query helps reviewing URL click count by ClickAction using Defender for Office 365 data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | extend UrlBlocked = ActionType has_any("ClickBlocked") - | extend UrlAllowed = ActionType has_any('ClickAllowed') - | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') - | extend ErrorPage = ActionType has_any('UrlErrorPage') - | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/URL%20click%20count%20by%20click%20action.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml index 7314fe0f1d5..a139c111795 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL click on ZAP Email.yaml @@ -1,23 +1,4 @@ id: efe27064-6d35-4720-b7f5-e0326695613d name: URL click on ZAP email description: | - In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge -description-detailed: | - In this query, we are looking for Url clicks on emails which get actioned by Zerohour auto purge (ZAP) in Defender for Office 365. - Reference - https://learn.microsoft.com/en-us/defender-office-365/zero-hour-auto-purge -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents - - Alertinfo - - AlertEvidence -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - AlertInfo - | where Title contains "Email messages containing malicious URL removed after delivery" and Timestamp > ago (7d) - | join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId - | join UrlClickEvents on NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/URL%20click%20on%20ZAP%20Email.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml index 203a82bb8ae..3545269f012 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URL clicks actions by URL.yaml @@ -1,22 +1,4 @@ id: bc46e331-3cb0-483d-9c90-989d2a59457f name: URL clicks actions by URL description: | - In this query, we are looking URL click actions by URL in the last 7 days -description-detailed: | - In this query, we are looking URL click actions by URL in the last 7 days using Defender for Office 365 data. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | extend UrlBlocked = ActionType has_any("ClickBlocked") - | extend UrlAllowed = ActionType has_any('ClickAllowed') - | extend UrlPendingVerdict = ActionType has_any('UrlScanInProgress') - | extend ErrorPage = ActionType has_any('UrlErrorPage') - | summarize Blocked = countif(UrlBlocked), Allowed = countif(UrlAllowed), PendingVerdict = countif(UrlPendingVerdict), Error = countif(ErrorPage), ClickedThrough = countif(IsClickedThrough) by Url -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/URL%20clicks%20actions%20by%20URL.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml index 83669de1661..ec909fbb618 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml @@ -1,22 +1,4 @@ id: 03e61096-20d0-46eb-b8e0-a507dd00a19f name: URLClick details based on malicious URL click alert description: | - In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected -description-detailed: | - In this query, we are looking for Url clicks on emails which are generated the alert-A potentially malicious URL click was detected in Defender for Office 365. -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents - - Alertinfo - - AlertEvidence -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - AlertInfo - | where Title contains "Potentially malicious" and Timestamp > ago (30d) - | join kind=inner (AlertEvidence| where EntityType == "MailMessage") on AlertId - | join UrlClickEvents on NetworkMessageId -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/URLClick%20details%20based%20on%20malicious%20URL%20click%20alert.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml index cbc81471bec..f1aaa163cde 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicked through events.yaml @@ -1,20 +1,4 @@ id: f075d4c4-cf76-4e5d-9c2d-9ed524286316 name: User clicked through events description: | - This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page. -description-detailed: | - This query helps reviewing malicious clicks where user was allowed to proceed through malicious URL page via click though option on SafeLinks warning page in Defender for Office 365. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | where ActionType == "ClickAllowed" or IsClickedThrough !="0" - | where ThreatTypes has "Phish" - | summarize by ReportId, IsClickedThrough, AccountUpn, NetworkMessageId, ThreatTypes -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/User%20clicked%20through%20events.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml index 8b5f6f204a2..fd1c9dea770 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on malicious inbound emails.yaml @@ -1,28 +1,4 @@ id: 891f4865-75e5-4d40-bc24-ebf97da3ca9a name: User clicks on malicious inbound emails description: | - This query provides insights on users who clicked on a suspicious URL -description-detailed: | - This query provides insights on users who clicked on a suspicious URL from phishing/malware-categorized inbound emails over the past 30 days using Defender for Office 365 Data. -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - let UrlClicked = (UrlClickEvents - | where ActionType == "ClickAllowed" or IsClickedThrough !="0" - | extend Device_IPv4 = IPAddress - | project ActionType, Device_IPv4, Url, UrlChain, IPAddress, NetworkMessageId); - EmailEvents - | where Timestamp > ago(30d) - | where isnotempty(ThreatTypes) and EmailDirection == "Inbound" - | where ThreatTypes has_any ("Malware", "Phish") - | extend SenderFromAddress_IPv4 = strcat(SenderFromAddress, ", ", SenderIPv4) - | join kind = inner UrlClicked on NetworkMessageId - | project Timestamp,NetworkMessageId, Subject, SenderFromAddress_IPv4, RecipientEmailAddress, ThreatTypes, ActionType, Url, UrlChain, Device_IPv4, LatestDeliveryLocation, LatestDeliveryAction, EmailAction, EmailActionPolicy -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/User%20clicks%20on%20malicious%20inbound%20emails.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml index b7f82b3f328..3ee8bde4fba 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml @@ -1,21 +1,4 @@ id: d823da0e-1334-4a66-8ff4-2c2c40d26295 name: User clicks on phishing URLs in emails description: | - This query helps in determining clickthroughs when email delivered because of detection overrides. -description-detailed: | - This query helps in determining clickthroughs, potential deliveries through User/Tenant overrides and detection details for malicious clicks on URLs in emails -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents - - UrlClickEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - UrlClickEvents - | where ThreatTypes has "Phish" - | join EmailEvents on NetworkMessageId, $left.AccountUpn == $right.RecipientEmailAddress - | project Timestamp, Url, ActionType, AccountUpn, ReportId, NetworkMessageId, ThreatTypes, IsClickedThrough, DeliveryLocation, OrgLevelAction, UserLevelAction -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL%20Click/User%20clicks%20on%20phishing%20URLs%20in%20emails.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml index 3440bc2f62a..3214cee52a3 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Phishing Email Url Redirector.yaml @@ -1,23 +1,4 @@ id: 08aff8c6-b983-43a3-be95-68a10c3d35e6 name: PhishingEmailUrlRedirector (1) description: | - The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data. -description-detailed: | - The query helps detect emails associated with the open redirector URL campaign using Defender for Office 365 data. The campaign's URLs begin with the distinct pattern, hxxps://t[.]domain[.]tld/r/?. Attackers use URL redirection to manipulate users into visiting a malicious website or to evade detection. - This query was originally published on Twitter, by @MsftSecIntel. - Reference - https://twitter.com/MsftSecIntel -requiredDataConnectors: -- connectorId: MicrosoftThreatProtection - dataTypes: - - EmailUrlInfo -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailUrlInfo - //This regex identifies emails containing the "T-Dot" redirector pattern in the URL - | where Url matches regex @"s?\:\/\/(?:www\.)?t\.(?:[\w\-\.]+\/+)+(?:r|redirect)\/?\?" - //This regex narrows in on emails that contain the known malicious domain pattern in the URL from the most recent campaigns - and Url matches regex @"[a-zA-Z]\-[a-zA-Z]{2}\.(xyz|club|shop)" -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL/Phishing%20Email%20Url%20Redirector.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml index 05a10116d63..523ac201442 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/URL/SafeLinks URL detections.yaml @@ -1,23 +1,4 @@ id: 492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9 name: SafeLinks URL detections description: | - This query provides insights on the detections done by SafeLinks protection in Defender for Office 365 -description-detailed: | - This query provides insights on the detections done by SafeLinks protection in Defender for Office 365 - Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-links-about -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailEvents - | where DetectionMethods != "" - | extend detection= tostring(parse_json(DetectionMethods).Phish) - | where detection == '["URL detonation reputation"]' or detection == '["URL detonation"]' - | summarize total=count() by bin(Timestamp, 1d) - | order by Timestamp asc -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/URL/SafeLinks%20URL%20detections.yaml' \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml b/Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml index 3c934312a33..dd3677ed551 100644 --- a/Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml +++ b/Hunting Queries/Microsoft 365 Defender/Email Queries/ZAP/Total ZAP count.yaml @@ -1,20 +1,4 @@ id: c10b22a0-6021-46f9-bdaf-05bf2350a554 name: Total ZAP count description: | - This query helps reviewing count of total ZAP events -description-detailed: | - This query helps reviewing count of total ZAP events in Defender for Office 365 -requiredDataConnectors: - - connectorId: MicrosoftThreatProtection - dataTypes: - - EmailPostDeliveryEvents -tactics: - - InitialAccess -relevantTechniques: - - T1566 -query: | - EmailPostDeliveryEvents - | where Timestamp > ago(30d) - | where ActionType == "Phish ZAP" or ActionType == "Malware ZAP" - | count -version: 1.0.0 \ No newline at end of file + 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/ZAP/Total%20ZAP%20count.yaml' \ No newline at end of file From f7e64d0cc003d5b41675bc2cb793625637cd682f Mon Sep 17 00:00:00 2001 From: v-shukore Date: Fri, 20 Sep 2024 16:38:10 +0530 Subject: [PATCH 3/8] Update HuntingQueriesMigrated.json --- .../V2/MigratedContent/HuntingQueriesMigrated.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json index 150164ba942..3a9057365c4 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json @@ -1388,6 +1388,11 @@ "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, { + "templateName": "New TABL Items.yaml", + "id": "92b76a34-502e-4a53-93ec-9fc37c3b358c", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { "templateName": "Good emails from senders with bad patterns.yaml", "id": "e6259b03-622e-4e11-9c54-94987dad7c14", "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", @@ -1523,6 +1528,11 @@ "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, { + "templateName": "PhishDetectionByDetectionMethod.yaml", + "id": "9d59be10-54d9-478b-b669-fb4eb8517cd0", + "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + { "templateName": "Campaign with randomly named attachments.yaml", "id": "25150085-015a-4673-9b67-bc6ad9475500", "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", From 25d085353cbefb8887644998e1cac251d7c60062 Mon Sep 17 00:00:00 2001 From: v-shukore Date: Fri, 20 Sep 2024 16:38:20 +0530 Subject: [PATCH 4/8] Update SkipValidationsTemplates.json --- .../SkipValidationsTemplates.json | 431 ++++++++++++++++++ 1 file changed, 431 insertions(+) diff --git a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json index dc1ff05fee7..9bda2566a31 100644 --- a/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json +++ b/.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json @@ -3178,7 +3178,438 @@ "id": "ed8a116c-07b4-441c-b74b-395937c264a1", "templateName": "SymantecVIP.yaml", "validationFailReason": "Missing column name from custom table 'CollectorHostName' which is already added to the Custom table " + }, + { + "id": "518e6938-10ef-4165-af19-82f1287141bc", + "templateName": "ATP policy status check.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b6392f39-a1f4-4ec8-8689-4cb9d28c295a", + "templateName": "JNLP attachment.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "16eda414-1550-4cdc-8512-0769901d3f05", + "templateName": "Safe attachment detection.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422", + "templateName": "Authentication failures.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "5971f2e7-1bb2-4170-aa7a-577ed8a45c72", + "templateName": "Spoof attempts with auth failure.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "ba1a91ad-1f99-4386-b191-06a76ef213f8", + "templateName": "Audit Email Preview-Download action.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "bc2d8214-afb6-4876-b210-25b69325b9b2", + "templateName": "Hunt for TABL changes.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "712ffdd8-ddce-4372-85dd-063029b418cf", + "templateName": "Local time to UTC time conversion.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "deb4b2c6-c10e-4044-8cf4-84243e40db73", + "templateName": "MDO daily detection summary report.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "81ede5df-2ec3-40a5-9dff-1fe6a841079d", + "templateName": "Mail item accessed.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "63c799bc-7567-4e4d-97be-e143fcfaa333", + "templateName": "Malicious email senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "92b76a34-502e-4a53-93ec-9fc37c3b358c", + "templateName": "New TABL Items.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935", + "templateName": "Emails containing links to IP addresses.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "e6259b03-622e-4e11-9c54-94987dad7c14", + "templateName": "Good emails from senders with bad patterns.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72", + "templateName": "Hunt for email conversation take over attempts.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "57f95ba7-938d-4a76-b411-c01034c0d167", + "templateName": "Hunt for malicious URLs using external IOC source.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe", + "templateName": "Hunt for malicious attachments using external IOC source.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "54569b06-47fc-41ae-9b00-f7d9b61337b6", + "templateName": "Inbox rule change which forward-redirect email.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "430a9c0d-f3ce-46a3-a994-92b3ada0d1b2", + "templateName": "MDO_CountOfRecipientsEmailaddressbySubject.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b95994d1-1008-4c42-a74f-9f2967e39ed6", + "templateName": "MDO_CountOfSendersEmailaddressbySubject.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "f840db5b-87c9-43c8-a8c3-5b6b83838cd4", + "templateName": "MDO_Countofrecipientsemailaddressesbysubject.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a96c1571-1f7d-48dc-8287-7df5a5f0d987", + "templateName": "MDO_SummaryOfSenders.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "2c6e7f75-d83c-4344-afdc-83335fe550e6", + "templateName": "MDO_URLClickedinEmail.YAML", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "1c51e10e-7f77-40bc-bd37-6aa55cdf94d6", + "templateName": "Detections by detection methods.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "da7b973a-0045-4fd6-9161-269369336d24", + "templateName": "Mail reply to new domain.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "6b478186-da3b-4d71-beaa-aa5b42908499", + "templateName": "Mailflow by directionality.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "da932998-81dd-4be4-963c-f4890cb4192e", + "templateName": "Malicious emails detected per day.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b2beec6a-2c1c-4319-a191-e70c2ee42857", + "templateName": "Sender recipient contact establishment.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "12225f50-9d41-4b78-8269-cc127d98654c", + "templateName": "Top 100 malicious email senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "cadf6e78-2a9a-4fb5-b788-30a592d699d3", + "templateName": "Top 100 senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "95b0c7ed-2853-4343-80a9-ab076cf31e51", + "templateName": "Zero day threats.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "439f817c-845c-4dda-a8d9-5c1f6831cee9", + "templateName": "Email containing malware accessed on a unmanaged device.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "07c85687-6dee-4266-9345-1e34de85d989", + "templateName": "Email containing malware sent by an internal sender.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "23dbd58b-23ce-42ae-b4d1-0dfdd35871ea", + "templateName": "Email malware detection report.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a3619c75-a927-4dbb-91cc-9adc55e95bda", + "templateName": "Malware detections by detection methods.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "fd68706e-8e3e-4ccd-9230-1f267bdad4c8", + "templateName": "Admin overrides.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "c73ae295-d120-4f79-aaed-de005f766ad2", + "templateName": "Top policies performing admin overrides.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "fe2cb53e-4eb3-4676-87c1-f80d2813f542", + "templateName": "Top policies performing user overrides.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9", + "templateName": "User overrides.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808", + "templateName": "Appspot phishing abuse.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9d59be10-54d9-478b-b669-fb4eb8517cd0", + "templateName": "PhishDetectionByDetectionMethod.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "25150085-015a-4673-9b67-bc6ad9475500", + "templateName": "Campaign with randomly named attachments.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9b086a51-e396-4718-90d7-f7b3646e6581", + "templateName": "Campaign with suspicious keywords.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "516046e8-a460-4f7b-86eb-421d3a9cdff1", + "templateName": "Custom detection-Emails with QR from non-prevalent senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "594fe5a1-53b6-466b-86df-028366c3994e", + "templateName": "Emails delivered having URLs from QR codes.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "706b711a-7622-40f1-9ebb-331d1a0ff697", + "templateName": "Emails with QR codes and suspicious keywords in subject.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "f708c866-073a-4107-a60b-ba6f86e54caa", + "templateName": "Emails with QR codes from non-prevalent sender.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "68aa199c-259b-4bb0-8e7a-8ed6f96c5525", + "templateName": "Hunting for sender patterns.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "8c852f12-499f-499b-afc1-25c50aa9b462", + "templateName": "Hunting for user signals-clusters.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "f6354c94-3a95-4235-8530-414f016a7bf6", + "templateName": "Inbound emails with QR code URLs.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "dc7e1eb5-16f5-4ad5-96a1-794970f4b310", + "templateName": "Personalized campaigns based on the first few keywords.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "54d3455d-27e0-4ceb-99f9-375abd620151", + "templateName": "Personalized campaigns based on the last few keywords.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "8d298b5c-feca-4add-bd42-e43e0a317a88", + "templateName": "Risky sign-in attempt from a non-managed device.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "3131d0ba-32c9-483e-a25c-82e26a07e116", + "templateName": "Suspicious sign-in attempts from QR code phishing campaigns.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a12cac64-ea6d-46d4-91a6-262b165fb9ad", + "templateName": "Group quarantine release.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9e8faa62-7222-48a5-a78f-ef2d22f866dc", + "templateName": "High Confidence Phish Released.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "6f96f6d7-d972-421e-a59f-6b9a8de81324", + "templateName": "Quarantine Release Email Details.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9f135aef-ad25-4df2-bdab-8399978a36a2", + "templateName": "Quarantine release trend.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "99713387-9d61-49eb-8edc-f51153d8bb01", + "templateName": "Email remediation action list.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "6a570927-8638-4a6f-ac09-72a7d51ffa3c", + "templateName": "Display Name - Spoof and Impersonation.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "cdc4da1c-64a1-4941-be59-1f5cc85481ab", + "templateName": "Referral phish emails.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "b3180ac0-6d94-494a-8b8c-fcc84319ea6e", + "templateName": "Spoof and impersonation detections by sender IP.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "011c3d48-f6ca-405f-9763-66c7856ad2ba", + "templateName": "Spoof and impersonation phish detections.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "e90345b3-439c-44e1-a85d-8ae84ad9c65b", + "templateName": "User not covered under display name impersonation.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "71aeb41d-c85c-4569-bb08-6f1cd38bca49", + "templateName": "Admin reported submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "1c390fd7-2668-4445-9b7d-055f3851be5f", + "templateName": "Status of submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "2d2351ca-e9a6-4286-b445-a9268189c1dc", + "templateName": "Top submitters of admin submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "8c9bc29b-f32a-49fe-8fe8-450479f4130f", + "templateName": "Top submitters of user submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "0bd33643-c517-48b1-8211-25a7fbd15a50", + "templateName": "User reported submissions.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "de480ca4-4095-4fef-b3e7-2a3f17f24e78", + "templateName": "Attacked more than x times average.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27", + "templateName": "Malicious mails by sender IPs.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "27ee28e7-423b-48c9-a410-cbc6c8e21d25", + "templateName": "Top 10 URL domains attacking organization.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "e3b7b5c1-0e50-4dfb-b73a-c226636eaf58", + "templateName": "Top 10 percent of most attacked users.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2", + "templateName": "Top external malicious senders.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "a1664330-810a-473b-b354-acbaa751a294", + "templateName": "Top targeted users.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "d24e9c4a-b72a-4a85-89cd-83760ae61155", + "templateName": "End user malicious clicks.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "3f007cdc-86bf-4657-9015-05101a3e54f5", + "templateName": "URL click count by click action.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "efe27064-6d35-4720-b7f5-e0326695613d", + "templateName": "URL click on ZAP Email.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "bc46e331-3cb0-483d-9c90-989d2a59457f", + "templateName": "URL clicks actions by URL.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "03e61096-20d0-46eb-b8e0-a507dd00a19f", + "templateName": "URLClick details based on malicious URL click alert.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "f075d4c4-cf76-4e5d-9c2d-9ed524286316", + "templateName": "User clicked through events.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "891f4865-75e5-4d40-bc24-ebf97da3ca9a", + "templateName": "User clicks on malicious inbound emails.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "d823da0e-1334-4a66-8ff4-2c2c40d26295", + "templateName": "User clicks on phishing URLs in emails.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "08aff8c6-b983-43a3-be95-68a10c3d35e6", + "templateName": "Phishing Email Url Redirector.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9", + "templateName": "SafeLinks URL detections.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" + }, + { + "id": "c10b22a0-6021-46f9-bdaf-05bf2350a554", + "templateName": "Total ZAP count.yaml", + "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location" } + // Temporarily adding Solution Parsers id's for Solution Parsers KQL Validations - End ] \ No newline at end of file From 5546ae02347ad1f5b237963ba8ea560d8c404e4c Mon Sep 17 00:00:00 2001 From: v-shukore Date: Fri, 20 Sep 2024 16:44:35 +0530 Subject: [PATCH 5/8] Update HuntingQueriesMigrated.json --- .../V2/MigratedContent/HuntingQueriesMigrated.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json index 3a9057365c4..f694e906fbe 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/MigratedContent/HuntingQueriesMigrated.json @@ -1756,7 +1756,7 @@ "templateName": "Total ZAP count.yaml", "id": "c10b22a0-6021-46f9-bdaf-05bf2350a554", "OldPath": "https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Email%20Queries/", - "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" }, + "NewPath": "https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/" } From 79fb9ef94205b5d58a32d0f6a8cf21ec8d5c243b Mon Sep 17 00:00:00 2001 From: v-shukore Date: Fri, 20 Sep 2024 16:59:15 +0530 Subject: [PATCH 6/8] Update SkipStrcutreValidationsTemplates.json --- .../SkipStrcutreValidationsTemplates.json | 90 ++++++++++++++++++- 1 file changed, 89 insertions(+), 1 deletion(-) diff --git a/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json b/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json index 1f8bcf1a916..d10dbf2f0bd 100644 --- a/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json +++ b/.script/tests/detectionTemplateSchemaValidation/SkipStrcutreValidationsTemplates.json @@ -530,5 +530,93 @@ "df292d06-f348-41ad-b780-0abb5acfe9ab", "b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8", "13424be6-aed7-448b-afe5-c03d8b29b4fe", - "04384937-e927-4595-8f3c-89ff58ed231f" + "04384937-e927-4595-8f3c-89ff58ed231f", + "518e6938-10ef-4165-af19-82f1287141bc", + "b6392f39-a1f4-4ec8-8689-4cb9d28c295a", + "16eda414-1550-4cdc-8512-0769901d3f05", + "7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422", + "5971f2e7-1bb2-4170-aa7a-577ed8a45c72", + "ba1a91ad-1f99-4386-b191-06a76ef213f8", + "bc2d8214-afb6-4876-b210-25b69325b9b2", + "712ffdd8-ddce-4372-85dd-063029b418cf", + "deb4b2c6-c10e-4044-8cf4-84243e40db73", + "81ede5df-2ec3-40a5-9dff-1fe6a841079d", + "63c799bc-7567-4e4d-97be-e143fcfaa333", + "92b76a34-502e-4a53-93ec-9fc37c3b358c", + "8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935", + "e6259b03-622e-4e11-9c54-94987dad7c14", + "fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72", + "57f95ba7-938d-4a76-b411-c01034c0d167", + "0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe", + "54569b06-47fc-41ae-9b00-f7d9b61337b6", + "430a9c0d-f3ce-46a3-a994-92b3ada0d1b2", + "b95994d1-1008-4c42-a74f-9f2967e39ed6", + "f840db5b-87c9-43c8-a8c3-5b6b83838cd4", + "a96c1571-1f7d-48dc-8287-7df5a5f0d987", + "2c6e7f75-d83c-4344-afdc-83335fe550e6", + "1c51e10e-7f77-40bc-bd37-6aa55cdf94d6", + "da7b973a-0045-4fd6-9161-269369336d24", + "6b478186-da3b-4d71-beaa-aa5b42908499", + "da932998-81dd-4be4-963c-f4890cb4192e", + "b2beec6a-2c1c-4319-a191-e70c2ee42857", + "12225f50-9d41-4b78-8269-cc127d98654c", + "cadf6e78-2a9a-4fb5-b788-30a592d699d3", + "95b0c7ed-2853-4343-80a9-ab076cf31e51", + "439f817c-845c-4dda-a8d9-5c1f6831cee9", + "07c85687-6dee-4266-9345-1e34de85d989", + "23dbd58b-23ce-42ae-b4d1-0dfdd35871ea", + "a3619c75-a927-4dbb-91cc-9adc55e95bda", + "fd68706e-8e3e-4ccd-9230-1f267bdad4c8", + "c73ae295-d120-4f79-aaed-de005f766ad2", + "fe2cb53e-4eb3-4676-87c1-f80d2813f542", + "b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9", + "cdac93ef-56c0-45bf-9e7f-9cbf0ad06808", + "9d59be10-54d9-478b-b669-fb4eb8517cd0", + "25150085-015a-4673-9b67-bc6ad9475500", + "9b086a51-e396-4718-90d7-f7b3646e6581", + "516046e8-a460-4f7b-86eb-421d3a9cdff1", + "594fe5a1-53b6-466b-86df-028366c3994e", + "706b711a-7622-40f1-9ebb-331d1a0ff697", + "f708c866-073a-4107-a60b-ba6f86e54caa", + "68aa199c-259b-4bb0-8e7a-8ed6f96c5525", + "8c852f12-499f-499b-afc1-25c50aa9b462", + "f6354c94-3a95-4235-8530-414f016a7bf6", + "dc7e1eb5-16f5-4ad5-96a1-794970f4b310", + "54d3455d-27e0-4ceb-99f9-375abd620151", + "8d298b5c-feca-4add-bd42-e43e0a317a88", + "3131d0ba-32c9-483e-a25c-82e26a07e116", + "a12cac64-ea6d-46d4-91a6-262b165fb9ad", + "9e8faa62-7222-48a5-a78f-ef2d22f866dc", + "6f96f6d7-d972-421e-a59f-6b9a8de81324", + "9f135aef-ad25-4df2-bdab-8399978a36a2", + "99713387-9d61-49eb-8edc-f51153d8bb01", + "6a570927-8638-4a6f-ac09-72a7d51ffa3c", + "cdc4da1c-64a1-4941-be59-1f5cc85481ab", + "b3180ac0-6d94-494a-8b8c-fcc84319ea6e", + "011c3d48-f6ca-405f-9763-66c7856ad2ba", + "e90345b3-439c-44e1-a85d-8ae84ad9c65b", + "71aeb41d-c85c-4569-bb08-6f1cd38bca49", + "1c390fd7-2668-4445-9b7d-055f3851be5f", + "2d2351ca-e9a6-4286-b445-a9268189c1dc", + "8c9bc29b-f32a-49fe-8fe8-450479f4130f", + "0bd33643-c517-48b1-8211-25a7fbd15a50", + "de480ca4-4095-4fef-b3e7-2a3f17f24e78", + "a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27", + "27ee28e7-423b-48c9-a410-cbc6c8e21d25", + "e3b7b5c1-0e50-4dfb-b73a-c226636eaf58", + "9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2", + "a1664330-810a-473b-b354-acbaa751a294", + "d24e9c4a-b72a-4a85-89cd-83760ae61155", + "3f007cdc-86bf-4657-9015-05101a3e54f5", + "efe27064-6d35-4720-b7f5-e0326695613d", + "bc46e331-3cb0-483d-9c90-989d2a59457f", + "03e61096-20d0-46eb-b8e0-a507dd00a19f", + "f075d4c4-cf76-4e5d-9c2d-9ed524286316", + "891f4865-75e5-4d40-bc24-ebf97da3ca9a", + "d823da0e-1334-4a66-8ff4-2c2c40d26295", + "08aff8c6-b983-43a3-be95-68a10c3d35e6", + "492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9", + "c10b22a0-6021-46f9-bdaf-05bf2350a554" + + ] \ No newline at end of file From 55edb1a29822633d9fde8b0069145c811cad17d0 Mon Sep 17 00:00:00 2001 From: v-shukore Date: Fri, 20 Sep 2024 17:43:09 +0530 Subject: [PATCH 7/8] removed metadata from Hunting Queries --- .../MDO_CountOfRecipientsEmailaddressbySubject.YAML | 9 --------- .../Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML | 9 --------- .../MDO_Countofrecipientsemailaddressesbysubject.YAML | 9 --------- .../Email Queries/Hunting/MDO_SummaryOfSenders.YAML | 9 --------- .../Email Queries/Hunting/MDO_URLClickedinEmail.YAML | 9 --------- 5 files changed, 45 deletions(-) diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML index dd318b0cc97..4715198ab2d 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML @@ -21,13 +21,4 @@ query: | //Change the Count of how many times the email with the same subject has come in | where CountRecipientEmailAddress >= 15 | project RecipientEmailAddress, CountRecipientEmailAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML index d9d07c4dc99..751943f717c 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML @@ -21,13 +21,4 @@ query: | //Change the Count of how many times the email with the same subject has come in | where CountSenderFromAddress >= 10 | project SenderFromAddress, CountSenderFromAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML index 14598526b24..c4b5a3cc2b8 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML @@ -21,13 +21,4 @@ query: | //Change the Count of how many times the email with the same subject has come in | where CountRecipientEmailAddress >= 15 | project RecipientEmailAddress, CountRecipientEmailAddress, Subject -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML index b20bec892db..0bc133fcb8d 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML @@ -24,13 +24,4 @@ query: | | summarize QuaratineEmails = count(DeliveryLocation == "Quarantine"), Emails = count(DeliveryLocation == "Inbox/folder"), JunkEmails = count(DeliveryLocation == "Junk folder")by SenderFromAddress -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML index 67be8db65a9..91c700ddd0a 100644 --- a/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML +++ b/Solutions/Microsoft Defender XDR/Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML @@ -17,13 +17,4 @@ query: | | where ActionType == "ClickAllowed" //| where ActionType <> "ClickAllowed" | project AccountUpn, ActionType, Url -metadata: - source: - kind: Community - author: - name: Matt Novitsch - support: - tier: Community - categories: - domains: [ "Security" ] version: 1.0.0 \ No newline at end of file From 7aa467a40ef47550ec40763eb714cd79f892950e Mon Sep 17 00:00:00 2001 From: v-shukore Date: Fri, 20 Sep 2024 17:44:35 +0530 Subject: [PATCH 8/8] Packaged solution for adding new HQ --- .../Data/Solution_Microsoft Defender XDR.json | 91 +- .../Microsoft Defender XDR/Package/3.0.9.zip | Bin 99439 -> 138036 bytes .../Package/createUiDefinition.json | 1476 ++- .../Package/mainTemplate.json | 10168 ++++++++++++++-- .../Microsoft Defender XDR/ReleaseNotes.md | 1 + 5 files changed, 10544 insertions(+), 1192 deletions(-) diff --git a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json index 9a8a25a9036..d28de412666 100644 --- a/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json +++ b/Solutions/Microsoft Defender XDR/Data/Solution_Microsoft Defender XDR.json @@ -50,7 +50,6 @@ ], "Hunting Queries" : [ - "Hunting Queries/Appspot Phishing Abuse.yaml", "Hunting Queries/Check for spoofing attempts on the domain with Authentication failures.yaml", "Hunting Queries/Delivered Bad Emails from Top bad IPv4 addresses.yaml", "Hunting Queries/EmailDelivered-ToInbox.yaml", @@ -120,7 +119,93 @@ "Hunting Queries/Ransomware/DEV-0270/DomainDiscoveryWMICwithDLLHostExe.yaml", "Hunting Queries/Ransomware/DEV-0270/MDEExclusionUsingPowerShell.yaml", "Hunting Queries/Ransomware/DataDeletionOnMulipleDrivesUsingCipherExe.yaml", - "Hunting Queries/Ransomware/LaZagneCredTheft.yaml" + "Hunting Queries/Ransomware/LaZagneCredTheft.yaml", + "Hunting Queries/Email Queries/Attachment/ATP policy status check.yaml", + "Hunting Queries/Email Queries/Attachment/JNLP attachment.yaml", + "Hunting Queries/Email Queries/Attachment/Safe attachment detection.yaml", + "Hunting Queries/Email Queries/Authentication/Authentication failures.yaml", + "Hunting Queries/Email Queries/Authentication/Spoof attempts with auth failure.yaml", + "Hunting Queries/Email Queries/General/Audit Email Preview-Download action.yaml", + "Hunting Queries/Email Queries/General/Hunt for TABL changes.yaml", + "Hunting Queries/Email Queries/General/Local time to UTC time conversion.yaml", + "Hunting Queries/Email Queries/General/MDO daily detection summary report.yaml", + "Hunting Queries/Email Queries/General/Mail item accessed.yaml", + "Hunting Queries/Email Queries/General/Malicious email senders.yaml", + "Hunting Queries/Email Queries/General/New TABL Items.yaml", + "Hunting Queries/Email Queries/Hunting/Emails containing links to IP addresses.yaml", + "Hunting Queries/Email Queries/Hunting/Good emails from senders with bad patterns.yaml", + "Hunting Queries/Email Queries/Hunting/Hunt for email conversation take over attempts.yaml", + "Hunting Queries/Email Queries/Hunting/Hunt for malicious URLs using external IOC source.yaml", + "Hunting Queries/Email Queries/Hunting/Hunt for malicious attachments using external IOC source.yaml", + "Hunting Queries/Email Queries/Hunting/Inbox rule change which forward-redirect email.yaml", + "Hunting Queries/Email Queries/Hunting/MDO_CountOfRecipientsEmailaddressbySubject.YAML", + "Hunting Queries/Email Queries/Hunting/MDO_CountOfSendersEmailaddressbySubject.YAML", + "Hunting Queries/Email Queries/Hunting/MDO_Countofrecipientsemailaddressesbysubject.YAML", + "Hunting Queries/Email Queries/Hunting/MDO_SummaryOfSenders.YAML", + "Hunting Queries/Email Queries/Hunting/MDO_URLClickedinEmail.YAML", + "Hunting Queries/Email Queries/Mailflow/Detections by detection methods.yaml", + "Hunting Queries/Email Queries/Mailflow/Mail reply to new domain.yaml", + "Hunting Queries/Email Queries/Mailflow/Mailflow by directionality.yaml", + "Hunting Queries/Email Queries/Mailflow/Malicious emails detected per day.yaml", + "Hunting Queries/Email Queries/Mailflow/Sender recipient contact establishment.yaml", + "Hunting Queries/Email Queries/Mailflow/Top 100 malicious email senders.yaml", + "Hunting Queries/Email Queries/Mailflow/Top 100 senders.yaml", + "Hunting Queries/Email Queries/Mailflow/Zero day threats.yaml", + "Hunting Queries/Email Queries/Malware/Email containing malware accessed on a unmanaged device.yaml", + "Hunting Queries/Email Queries/Malware/Email containing malware sent by an internal sender.yaml", + "Hunting Queries/Email Queries/Malware/Email malware detection report.yaml", + "Hunting Queries/Email Queries/Malware/Malware detections by detection methods.yaml", + "Hunting Queries/Email Queries/Overrides/Admin overrides.yaml", + "Hunting Queries/Email Queries/Overrides/Top policies performing admin overrides.yaml", + "Hunting Queries/Email Queries/Overrides/Top policies performing user overrides.yaml", + "Hunting Queries/Email Queries/Overrides/User overrides.yaml", + "Hunting Queries/Email Queries/Phish/Appspot phishing abuse.yaml", + "Hunting Queries/Email Queries/Phish/PhishDetectionByDetectionMethod.yaml", + "Hunting Queries/Email Queries/QR code/Campaign with randomly named attachments.yaml", + "Hunting Queries/Email Queries/QR code/Campaign with suspicious keywords.yaml", + "Hunting Queries/Email Queries/QR code/Custom detection-Emails with QR from non-prevalent senders.yaml", + "Hunting Queries/Email Queries/QR code/Emails delivered having URLs from QR codes.yaml", + "Hunting Queries/Email Queries/QR code/Emails with QR codes and suspicious keywords in subject.yaml", + "Hunting Queries/Email Queries/QR code/Emails with QR codes from non-prevalent sender.yaml", + "Hunting Queries/Email Queries/QR code/Hunting for sender patterns.yaml", + "Hunting Queries/Email Queries/QR code/Hunting for user signals-clusters.yaml", + "Hunting Queries/Email Queries/QR code/Inbound emails with QR code URLs.yaml", + "Hunting Queries/Email Queries/QR code/Personalized campaigns based on the first few keywords.yaml", + "Hunting Queries/Email Queries/QR code/Personalized campaigns based on the last few keywords.yaml", + "Hunting Queries/Email Queries/QR code/Risky sign-in attempt from a non-managed device.yaml", + "Hunting Queries/Email Queries/QR code/Suspicious sign-in attempts from QR code phishing campaigns.yaml", + "Hunting Queries/Email Queries/Quarantine/Group quarantine release.yaml", + "Hunting Queries/Email Queries/Quarantine/High Confidence Phish Released.yaml", + "Hunting Queries/Email Queries/Quarantine/Quarantine Release Email Details.yaml", + "Hunting Queries/Email Queries/Quarantine/Quarantine release trend.yaml", + "Hunting Queries/Email Queries/Remediation/Email remediation action list.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/Display Name - Spoof and Impersonation.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/Referral phish emails.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation detections by sender IP.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/Spoof and impersonation phish detections.yaml", + "Hunting Queries/Email Queries/Spoof and Impersonation/User not covered under display name impersonation.yaml", + "Hunting Queries/Email Queries/Submissions/Admin reported submissions.yaml", + "Hunting Queries/Email Queries/Submissions/Status of submissions.yaml", + "Hunting Queries/Email Queries/Submissions/Top submitters of admin submissions.yaml", + "Hunting Queries/Email Queries/Submissions/Top submitters of user submissions.yaml", + "Hunting Queries/Email Queries/Submissions/User reported submissions.yaml", + "Hunting Queries/Email Queries/Top Attacks/Attacked more than x times average.yaml", + "Hunting Queries/Email Queries/Top Attacks/Malicious mails by sender IPs.yaml", + "Hunting Queries/Email Queries/Top Attacks/Top 10 URL domains attacking organization.yaml", + "Hunting Queries/Email Queries/Top Attacks/Top 10 percent of most attacked users.yaml", + "Hunting Queries/Email Queries/Top Attacks/Top external malicious senders.yaml", + "Hunting Queries/Email Queries/Top Attacks/Top targeted users.yaml", + "Hunting Queries/Email Queries/URL Click/End user malicious clicks.yaml", + "Hunting Queries/Email Queries/URL Click/URL click count by click action.yaml", + "Hunting Queries/Email Queries/URL Click/URL click on ZAP Email.yaml", + "Hunting Queries/Email Queries/URL Click/URL clicks actions by URL.yaml", + "Hunting Queries/Email Queries/URL Click/URLClick details based on malicious URL click alert.yaml", + "Hunting Queries/Email Queries/URL Click/User clicked through events.yaml", + "Hunting Queries/Email Queries/URL Click/User clicks on malicious inbound emails.yaml", + "Hunting Queries/Email Queries/URL Click/User clicks on phishing URLs in emails.yaml", + "Hunting Queries/Email Queries/URL/Phishing Email Url Redirector.yaml", + "Hunting Queries/Email Queries/URL/SafeLinks URL detections.yaml", + "Hunting Queries/Email Queries/ZAP/Total ZAP count.yaml" ], "Workbooks" : [ "Workbooks/MicrosoftDefenderForOffice365detectionsandinsights.json", @@ -128,7 +213,7 @@ "Workbooks/MicrosoftDefenderForIdentity.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Microsoft Defender XDR", - "Version": "3.0.8", + "Version": "3.0.9", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "StaticDataConnectorIds": [ diff --git a/Solutions/Microsoft Defender XDR/Package/3.0.9.zip b/Solutions/Microsoft Defender XDR/Package/3.0.9.zip index 0a34beca1d0d42369c98e18c5b0b1ccf4810821f..a2a65b33794225c566eab3522651c4b3b34da19e 100644 GIT binary patch literal 138036 zcmV({K+?ZZO9KQH0000804j_$Ss-?7!R18&01+|*02crN0Aq4xVRU6xX+&jaX>MtB zX>V>WYIARH>|OtJ+qRPb{bufe!1?Z-?Tjc|^4DgrujAT&sr&54&vuf#i8CFDge24? z!3U61)V|Ez-*SK2{Ux`%04P$DlQ@>;^roFQu}KhEEcVN17Yp>afBq-N*8a^zLy_{e z=WK0Q6uEgGhW1H2zr$z ziUJxzi{J1OJd9MFJ&?t)?3G4n7_mSOA#Z3V_Rru79?DE4AutPw4A0a+8T;;M|E_IDgPS!r zmT@tJ0rq$E_wegb$ic9ve*g1Lc9T7O_LC~a^JmZ4MIyKnOpCtItWc~N3f5OiqQ){C zu%75EEtt$q!IK1^;CrKz5-0SWVPF6I-~YodiIa_&?CqtnedAE(-G-m9o$K8bEVK}Q zmRGJb6ISc{r|uT4smNlX;m7|xz6{+sG)y~-a5PMtAg!y?en8lQ$ z@p#-$D`_Sj5mBjSF$qCJfJkG)Vu<1m5)5;Wkc_bUBG}&B4Pw{x=5#rL9yT4?bDN2b z_Yz^)M3qQ9P$~?*wj;7bP_M#-r&%Op_{1>KI0h2S5;ZWauT@Hm4ur&I1h2=ixH4ml z=g3Sc3uFomG*1d~=rE2+-Fd=(DDnA#{jC&Q0)_CADf3+E0*B);?UAtL2=~j-eSuR& zs_vq~vn1jfN=9Fm&#0Q)8kGv1 z9<&3!slLUL1TY*{$*C*|(%TDbq-zRG=6yy%tXzbN81N)?c0ItS3HckI1h7P)=AaJ+ zxCI6RlA=|F6)@mea3nsJJgWq>2$})kHFqx}WeW2g`M}%kEeQiVR~fD#`{DZff*tdM zvm?8R@a*v7bV_)vA~Qob&Bgv1q_&?B6)TLPpCI!61U#3UcCp+5Sw=4mTJTPbJ$v>> z>D!)CxAbHipBw_glR`%9vIPCc$2(j2d`7LPhuuBw{p}e@QN~gsRRWyC-JabKQ!)lUM3nM_j8Q~Y#=~QimAy5IR$OD zG6r_vv!X%WhsLDVM$$-dHXb?MLAqbi7h0A19Q_>a%E^0aP>A7eq04$l{zvzN?|6#M zD$%Hev<#3R&Ku@2XmkAo%S4KBtMi-csT5aF)9IJs_0Cg9{^NF&1dARZfa<%EG`+*+?`!{;i{cVOZI zhtR+6ZgsbUt%G2zvkn9=THT7IMXNae%mq9Gw+Mm7u~zvpfW1cRg!e>(%@<2Up1_l# zN@5#)T+#Y~BfMki87YWi#2CToSSATeaNSjw)I_2t5$2vEVG0dMwJ>vQN{S=m*F1qG zrv*%TzF`G&!>Y%|dQ$<`H`^m@-eRuZCj0i!gdt!Evr(us=ux|Ou=1NN=ASK;zfEYc z0SGXqejwm7V#7(%`foRu=QnH5Z`RgZ44ctcEw+BM*1B0EN*2HUunt|nn~_tLZK*{( zZzJj)o0_D0BPVF@y!8Npmw(cDpjC}3&%9WgX54q9Q7_@KxRwP`^U;>VqMA8RH*3%r zQ`P}2^uCz$H+SmCHMIU7T*2+!Cn~pIbIz4ucQ}R@cyB6wJY-0skt|lxH4~uJ5qq2c z7eptB*3k*wf$F2u6yTcBEm6myHW1S+jCm?OYqP^Xi0)nSZHw9XA7LH>R~swY_-}@I zFz8drJ1Aw$vxoq!g&9-GjL5XT)@0X*`mar&`FTqk0O_~g$6it#WYLSdfX{(HM*a8aA$JSQb-wUz1W%wt8b?=8TCa zX2Wb^mS8B7obnk1a8uZdz=lmbAXf{TY@sJU+=jrqk+Y~W5}z^;@K_fNlQM(GdOf1z zPZ>|@_{faEpUN*ssf!X!nuL(uMZ^J`aZ>U7srJ3t+4+1mw>4~OS^yh|zZpG8YDH>rinNlouBC-m7zWW{#t6!isa9{em|Y9rxw z(5fJLWu*r^lfRPvS~rV)`duue;E4jyUs3IlfsxW$B%GX#7$L{n>?ZS=0RVAy%SK#F zRbno!>IXlqtb-b1_Ex4yY?PE3|2}7EB`~^0T5_;GLs0pgr!AK9WXv_7&sUdc)DQk0 zB@zaz2Ed=VOiYWRxrW~oU5y7mb!GAu?KAL&(uKw%&)aM@9<4e@%FTnqkEWS`6Kugz>?vrWB zAvg@{FF-9^%)hw>On^@L11V%=HD6R0F6W1JqX2635y~9 zz|O5&xn8SKW5trQ{rHk|iaQseB1@N??I)9*SH^`Q72<$}=WewTiEt+ueoMrKM3~nG zw1XnFkVOw){OK>B38v4;Wb#T4EbP*;?F4S>42gX2kKy2R*L zq&fInVLpkDBT7luBj-j><`Gfyl$-zWQL=>-f!z@{flY&a_vX5tMnB8=+Y6;}`>UGi z&$eWsULNrY{eA%Zmx-z`l%Z4|yFeg@(uRA@?C8n@u%ASMwh&@Bi=UQe?5nvvnXxA& z#l7GOOEB^y^9=}8Mucc9=t&Bdd+vx7U5(W^-kOSZczdr9;%f$r6-pRO)mUi)AIO8|xo zb`2jYxKD>~Yk~`b&Ye+S1!hS~0LY+})0V zDzccd+r_Ti;IB-#%WHs=+SCR%rGa{-OkynR0WC2BPBxhNw8w)y>~?mx4z~7JEBMRA z=@$x1+`xIU?{UWL!p<1Y5KJB-U;(^6KR#KyDm)!v$I7o+6Ylo&A_Y-jUm_st3AEg) zie+D7QZh|NjFJ!LjuX~`D2_PhWP~Al!yF{oL9BLTd8q-)I@>GheO;fXPJ;%O*)Kj- zQEHFh8UwgGrF-abm0X?Ez6UD{P&d^TD(;yC(U8mRW2&;hx3jmsT2|+Vol}fmNBeU4Bk4>JPzC0qpgH6?V9W#4Q z9#7uqi2_LRqU73U%tjz-H`ygtXbOmmv4pGX2l{|V#H8i}T!E!_m31MOB!r!AC`KGJ zngK5g9^DEZBmjvtgfIp~69^w8;Z5O;Dy!yfI{24fsZ9~|po>^3-5wTcQYUF3P0_9u zA41Q4@Nk972H}3E-;d*+i1&7SdpwGFqh1tu_}1Px@Zz9559c3M)_0dE>)_PCe|33v z%`%7Odjj`3myd{czcM+mCLXI46X$l`m4qLQk&J{x;wOZ_{}ARoA3Q*q_Z~x-F*vt^~V$S{UwU};p_UY8f6v$yaMig zb&IuVn0ck#)Y650|H*`XVM=BJG;XrSL2!y#RnG`LvXuu_GR74sKm&a2*w@Bb6LesT zpi`rx0L6Uw-EJqUfI8u&sy6GW39$h}h#kBWlQ4id7}%HP2%OKk@2x2L!EsTV4~> zyOs?~E#1FBxM*r0o@RaJ`Ud)<1nhS*@#SMo(YcUXZjhN054;#Z>;MZ*TTH@#pcn%Y zL$pBK>xPLU!i=R2Wyh+7@Ro{UXU+&!<$+dr3MwVSWF}R!(Yd_$MV*HouAEMpxuc3u9xKIH&=Af}yfv+7V{r2ZOvq8YIm=Uli;ApqyhfgDb zwAgjf?S8YjyJG$CY%S3MoV*8q(aM8-`7B>0$X05`qL;H?*~f#nSQdrHp|JVU>l5U{ zcCd4>H=n0|s9or6eLaSO7nLh@8CrX!(q~NU{+vCebw_>{PnNjzl}+x>GB(Du_ZFZw z7~ICAC}o0YfnkL*RR9IhD3%dcp5b~-)65=bu6UQOv&@a>V}8dxE??B1 zZj<@PGM^Mex2!21;~tDXFwb2)f6nzSzL$95*GDmZo=V)Dz#`0~#B=aB<$9Hf(u?ORO%d5oPzbAlR3Ktj7|v|;TtQdZKW zA#+?+_2SV%D`T!47z;Y6jM%<$_e{hhPn12v&m%r&y5ctqI?o#Q)~lANWo{k+2uREu zV3=)`5?Iq^#xC&OA)%_}i`Y}{8&@JWMw_4|SUiq)DldD9g!z(#reiIX*{Pk$#@i(j zzg|s@9d;sUE3z873M6cqg1)bOfDi5j;%!hj8T?~z?z1s3C6h! zcVe->E4rOvd#@h{J3CuEIN1HB7wqryD2n!Xb`JKV6-&@E_gRk>-iva-mti6fL zG+(|bJ>4$rGK?lNNhCQj={ciHmSG9LJh1n{h`8os+wP_*w4{kqAhJG@KuP+W%y#BD zj`#jd-7^_lM1MIDf(SD!iBb@98qeK7gGYLB6s+y>4{QQMydTP*#KA;$-U`(t5%GYM zH4Zq`&Ifs9Y_UicJXWA1mBt@@ws)np>5zbU&jIvO7FQ5{LCoplz5CP+ ziq_Kgl8=e37c7PwAew#&N@|dYI>uOP0x0CC4?0Y<4UeT86n6{=!yp{ zAgAfsJea@tX}0pQE=KK{ebGE^{9@H+v`wku0w>Bnt4!B~w8#bo)*Ykflzy5wY=mIMa zLM@%-nb5m^x`v0W*+;*1c0aKAWtym~tzYeCHOjb6uPzL|W>8YDx-%+B46l8(V(+lb z!UYmqc2x0#p}1G&_K)W-p009X8Sdg{?c{wlJ~3c7sUB_G%UCAy z%^GO%X~t|G{G8Gm81A=fNo(*Tfi$-qTGLfk!M6B7$G^qWt-$+-{ki zsR*=UdP8Cf522~ODyzm>%mcYo&y*X*<4;wzPpP4(sxXP&N#H0_C8m*F?W}hMjeQAe zycjm_FDxn7TP$)lz8W|O8+Hd!{zyqdC*0b`s)7_RU~d5kHrz{@H55#eOa zo7WYa!eth=)G;8tDpXFZD;Hc}@^JI_Rn)S4vHAN0EjQ5e44_>AWyz>uA`d`=9LYos zfFxt3t1<&$1KHCLM{jB^^!h2 z1|zuevj-c;ucFZEi;bgW7BojRfLmXbH8n!Sb>nuExrVh3B(irdwTf5hE-)fJp56N0 zv_8<5MF`p}j9!z32{3hXbm|tGL^I&CJMqPbiNL6qHJSk*%}J(6Dm^y zouMre9_e^{^9lQf#T!|bS;pZUm+8V~YuqfdLTfzMbU}47U1`>XKj}2nBG~llvX9O_ z8l|nhFa;ny;I@_nB1(|}6EgdIV_P)%JJDwwr4UdS0Tm zdb`UmVJ(vcemG5W$Mp<@cy`#!Fq}vrTp<_z7#8KLDE5+uLK75P3{JG;3hrm%&C}X3 zhknQW1~xoCJ7W@=W$#*d4pn$gk)CC&4IhHY{#X@Z`J=UDwW67Nk-J>2wP<*SNSmY? z2*Nw?1H8znDo(Vnm5PepWg~$*g}7=F?Jlz(XF-QNms^>HK8{_LCU-Hwk*_y6#s6!H4XP&Wjj)Few3pUL2w=NUSGu$e zj8@%F4G^afz*dm`T=3Lxm)9yhrT~ZFk4q(KvktHDc4z$mWN>>f8Y8qabD5(5Ywuc^ z+eVJ`UqLx_u~a2WmSp)=mE6&iHr7U3E25lK<(%3Y5+I2c2q1V!=KlKY$IM{Bhb-UD z5VLer<&8vXNN_e{j}NYqvxe{kI2cE3 zPPB=9!5NEC+KwhU1Q2TiHfDIZhiE8S{O0k*T_O>6ih>(DqKuF+jmf6C1gPyJ#L$A~}m+wSR--!(`1~zN0-h^`-|JbE4}$S5sSRZh!YNM8QZ{5Lixvc?UyF(>8dP|v&Il96=Ionf4oA`VQ>J-Ug1XL) zi@@g&JwPr4GvA4)M_ym_1qIsq8R5M2=TxqiSa29~-zF2faCZ88X+Ni=IS*w~+7kGc z?N5er!RQoN!p=RNmAo^b)AnCCTzYe4v-nKPk@oYv3@&Mj#3k(?IIpr`aVfE)nhhl7mpI8lHy0$iXQ$&3c+)e013q3YeL$bJziXEN|n z<8+D)!L%goQVnO5u*F9Qwku@I)aFWY{)k711UsikyUoC%a=|`h8rMPP!ZN$7%ArZ? zYafD>hF_v5w2V+PR(d9QA+W<^oUQGM@17z|)l>({BpGI%2|(C>aKZI>@<3{47`{Yr zAoI~TasovJKMu%c56)9mnhArQ9|z~Va%G@0*E@WP-$S>)At^(+A=DEz4$e=n`uwI{ zb|l~^d=UCFB;IhnV|Rr}G$N{-aDhTzX>dUrz)`gT9O|aqqs2KM;cW)fWn5HEbaYSXv zX_IT8w^~0Hq;zw}YKKeGytB9}qW!Fx94H(g3|<_)dbR1m$z~0uv~#0F_1CBX&oUEb zrM#!uMU2#4b)~VSi+D!QAlo1wQ+R-aeR3L5SiZ-N3`_+#a5s zyxD*8;uyZ~f35(Qu_)gIAm1Eq7=kv7Fn=KT?KI0{ekwl=-Unv|?2-;(=S3wZ6M^it zj#`(E$xA9B4C(rLcfvo=@2%<*u2F{{(0r_68mgwZMKW=Qs_U>|;_e1VBja8X=Hv&c zcY?PQRd5Wh!+Y@FVNVea{~|TELoKom*Mx0vGc8SqEvH=DLK_^|bW;NC`X1XX0lUgd z5sxk@FtLwDFABXlop~kw$`7Qke^Hf4WA@<-C%WB1cTt{y!45Z0v1h^gJs77MO0em> zZL`YdQ(BibJbi!9lA7DQ3B{pgb1{KP2`&3b@S^6WNo;e!pL7?Alxf*PXvbhb800Zd zK7}Bt{T{9ALdk^!++6V0G5LhU9i%cbQJLdJU>AFU8|%KzG?4Si3Ah33nbNoe^6@^V z5iMVQitzq^9maAUqc@x;Ssj|*rwY#F2%Sd7?X2i*mU$vlYjsK4a?dkLW!w4_0XIx&dxx7v1>}-}%+z`P_ zn^|zGdS1BBw!|hk`;Xl3yOQE&Uf+F7B^kXR{`yEQ+7&h{B=9u1ijR!9$ZuUPI@^;K zUQJDy(dH=Q)^Q6n0(`VPK|S_u1&}JQL740)lsn)K>3vbwP2LB z93ABYai{find*qUkU0djSKzgH1J@AGUoWdTdO=mGCkO3YYt(c}skgF+b@_C)n6&6& zc82D4yD#~|i{0<{ySl7z=$a_8S8~JasLgs3mHqFl!pZAq6PIi3^}zmO+FcRJQ!ZFH zy~^iTPVQCnA?c?xQ;yQ@S)k7BKQz5xU zszy;?`%X@t8PAu#aSygdIL$)cJ}eAKs2iD5Vuc{jv|^65shhve=r?p%$|+qWO|Pcz zv|p7N(PcKt(sLO$!k6%?@&!0Yw1WP=LZy6XQN;Z02$P&eERc9L2OVIi1jdRLmFFl< zlZPpj6gM7)2qc{>k?gBh&6aX58GjK!>y)bo&oHgjLLV0p+LB3$-NG;9opbr}WTvN} zUhIcyM9VX+@SM(3bhc@Gq{847X#8mztF{7TAdCV9t?3DVTlo&xaya*F_A|9IOtmzd zc{VKI56?z$w1;ErU+)EnFW}!{@WpF(XluXF`to($U4_vnv)M(d5shRz2Pv1)G={wm*P0S*KB;muC1L_OH})IQ z6{AK2SZCg?&ssmkckzKvE*{(-9v;8K=SWP-cflVxha_zcFaM1^r#~FN3;3rdF63oL zog_02pP!*t0{;E;GnI&kgRFX4sU^iFJmcU*rBwY}5kZVvY05)VX?u(sAt>*`;m-Fb z`|KLWrE0>(HBHO2#?eiehed5+ccRA&f|7C@?IKie zX1OE%ZEQS>}*)%+D678rUK}tG$cWK-jHZj&B-o*|SERVgQ+Sh=QWCctt zmQgMWUd0ydLp7*uBPx$%(XsiHJiPXH+}1LHFAD3C%m#A;Mt}FFA!n0dZYmsamLEs6 zDD*TNilhn#Gz!%|{Jfx@Tgei^0}l)nlr=UvE%dKbafN9cb1^e^df2DadKMK}QEYr% zcZbo|-t4~e+gZ*;@vgbPSu590C9Ai*j%ye<>+zoQXi;Fh&bjW6$pxj0+P*BMqq$+Q z+hhS{WB-|MO5;*q7s47r>APZO&J7oH+AU}Kq{2wy9N$T zfNP!J1yna*Gg3)!1==){?YHzrS*>(l!bd*KlAwNz6hWO8tO`10+G z-=2GHe$lTt7&h*Q27*l1%laGhhBi=CWz2tD@up!S!ss@xlIUyiTnE*4PgVQOR>JiE z0nx|c*@k8*b6(wTz#wPS!MwV3`qAj{P7I9)^`ppLtcZNK|y&zLvdi~pL&b-R$ zV{jrn=h#6h>qxFef%OUS@+}eyyT5rA|7H~0BsR}<_0PZ@a|1p|46YjNhu7+ckPRs1 zg0b<%bmq%FsIo)EcEFW~9SBmyZ4C(umG$-va|vZGz#&9fDB2iCV^Kqp zbuW^dGR7z1(T2a&CD(WH%j6zMp>~FT_wcpKfqpA|VfVdAhuN2dAL|s$V-i$XZ~|a2 zNKym9%GY4legeVWYRs-S(UxG(E^X?3@>}cFJHyj=HvH{tSl3p*r6=lI%la>2zg0Ng zJ@~Csxe>hWtRCH|G7~oH4|TfwgEpRk4oO{owJnI}MLZJ)qP&e|IVFpr-QhBp4u9yDoeHI0_0pUxH6-#tog6322l_f5l9F;v~mLvLM$ zZ@_D&W%>ZR?qOz=EWXmd(kE^xxEj2#mUqHPUX%YkT9 z>jFB1=sLQ0g%H><67U+uR@xe}xD++mBtwj-$wuI=lB1|54p5gmp3t^K@z5rx`(qvQ zP&l}-G{m{Y<2bP|zuG?k&Y-9?6@x)MnTg=0PK>s@39M%Ika(M)qU`AS%Zq~&--eCt z!-E<3rXxFC9*Dfce?R}CtoL({*86!<6^C#4=d*;{@Jfzmu+QNZ*2)S83;oY8BE8Sj zyBHpXX%x@49<4U%C?|u1+h^MuHh*WsgDu0>AH3Qmu4s#wvLPgh=?1i3&`_#+rEH}9 z4G~aXu(=r6Xem#l&d@Hjeqv=Ce-LJsTXH%GyM5Z7q0C$wWuy4@(*`pKvuKtTG+b|u zHd1@so=x0&w-ejsm5lDF52Cn7R|jnNiAvmM8;%QSK%wfRTG`A*D8x4p`d0)I zY#v4=E+|NSM+me^?re6*bNf1c0-?Ipr!9qBk1?yug?Q`!8S8IDrzB)T~PZn#$ zX6F*Rdm|mK{AcU6Nu_LNaB2JWeZZydahThVIh(wS4`bTe7uOjgr74Uscce@ao2FPf zm`qQ>__pz5Ta8nj)QUOVa!xa*nkq|jg)RmkxslKfEd66y5-g8I*<7uZpeDCd0SKx$ z@QXBb_4FOfg{Vy(TjIGo1lQ9UD$Ic;!H7LFqFZcwmKn4UB^YZK--+s1Hz4zZCuuE)vqeM9B&c|Nv^mfX+?sTP zQpUkd8fmWyxSNy@rGO%?uhj}ls?ruwhk_4Vk6D`(%SJ|Kw$HvpoJOl)x@t6FBhB#m zSio(EnoU-v5xfu1)Mx`Y5bKUcSpzZS(wmJok^=BFtrXSMA;hM+rT{RtH*Y<_Y?3C+ zd7P_q3Rd`pGgaLntvjw{g=a^49y7dTTCKEl46Ioy;!u-hMoEnohlvq!)HHc^IB!b0 zw;p^p*^~{;i)^2}56Jty%#5^)<5mU-Pud?u+oWQQb@c4=lFE@$4fN#mWfbH$@>dCbIW?2eTk5U&Sh zjPih1kOP>0r45cX#a1fYH{fzGeL0lcTHKu5nCc(w0sA z`*{zWt$T;BUY}S7*y0lEr;}@S=9PiG+iV8UIXJxOIH|d(SB@9qG?Eh#b~qBNiR=xP zhSob?S;`hgxchHoQy_qpKXT_T!Mk^ zG3l0}rUu~ngEgCc&vg-})lZmFnW6RDdkv>kv}N63(F@MUP|XH+upN3U-!Df~@urRC zKjd|mPgJ)0R?vCn_*tDd^(n2(S|q{Wv!tFy%E1owbo(K7xEF35KtEwWN&Vbdinw%?;wD=6?T;__}z<1u;|Ek-;kHy|agL`){|J{)Cf53Z+4R)_sO zmtgJp&j#@27jj(c`v~6c0f22%K$;^R3iS-uDGgQ1~G$EY62)pLDkvYa^tEwY(lC@u;PD%9$G!;pM29CPL#6 zRAND+t(uuPRXoGK2QCBBuQpS^sagoZQ`0atlCXS=IO?}z*PI;f0ZMIhMS~|yhab4X ztrxUWy9p=NQ!^hmh^Ek80?o6kT&v@)E}hR_Zl8L$NPA?3eEJ+_Ye>7G0=8;Ss${-_ z%qsDMLx^kKXKqD#7o5sK&<(`8<69nE%t~zn9EH~KBeZGSgOqP5vdM6qVv3b(NRjQ7cw9gX*BBftYNfs&3{|4(IrY7`Y4u@FwMb!M|fIccYEG zK!~sz&6XG(aMl>uK)G%F`d0+;(k2(;#kk$})%gHxCnI<50@J&N)h2B+*!-B?_O*Bn z!qV2L-R*^TCpkCJaofVjb>|y$z z(H9(TgjQKJ5)J#_cF5V}US#3J>BXSWJ_$G}{iCDa;oqFsD|9g9QiW_WpOxB3-9(U4k2~E6sS}>ay4S#re*dN8E*q>zg2X#4ugC3+KQ68|j zdmscKUs#6s?fq;3??x|T;ne>6-UqbXB!SKf8R09PDjX7kmUfp}>W&I}FMbuLB1v>0 z6I7`BUCIKrIK|wOoKP-;v4Hq!R70GPa*<`7=NX_HJHk*F2t%nxmcCGlkIii zt8&ekHd(BT8P3H`Dh)H}B-cCe?M54To_$&9abN*4@-)o_IlO zDW8I?(xWnxGOPHzVFv@jT&->!P+l#2CpKv(tZzLwRIp^hDYiJF3EVOECmqvEZEQ4^ z>bc4?gM&KFk|cX*C8*>)<++vugyn85M(7=4;$JR@J^Y8eevu^zl?Z29siD8HKeN@< zz#Pk9^{r<3#3mp0qqrApayS@kGz*o`6V)7+SaawGuU;@w;}}7qlbLEQB&$e}$~2V% zCrcPbXer6=x7=2(CWt~thVqdV(y|Oq?>1(e{1h?x!GIl{%WUE%`akKIdTL`~twKMF z2#!k~m}tsg`hP^r6A~$#+EhHC&LFI()%N>@HmRf=S-&G^d%+J)6;v7Yhbij!B(QE) zXk|wgo+n-~OmRt@IbsGeX;wB-rIT6tgi9d45tU-7L`q5@u^@G%tR)qx_e1;T>}^zf zx_{ebl$Mc77B|(>VI`=Xs$-mV%r&i8Iv*>@lN-7cF#`8ds0X_7OUrsRMeS)r0do(0 zS>+P(@7f2*AIhnGsd@i*iEW!y)j6@vS|#EWr4;|j?HhcXFCj+2tjSe&PcU`^Z!fqj zJfmf|05#}jt`+_=VaqU41<=shBvoKaB`0)(JP%wduS+Y=q!rx)*8`9`Ah()gs=KHd zMn#4+qT|8eCmj=43=9#^C`ZY5h{r*h&7v$tt+#*UpyX09s6iEv?jrbo=K)*E18!FR z)1M)3|3W|SBJh;Z41PK;FhfwpGwOxI5-h;9AkD-ihHprsdn5(`N>}2`DIUTebXC)m zUj%9dD zAoy^j_KHJzWs{Lox`qRcP|#K?wsQjASKTpFE!A05)UYXAZ3S`^+KMzl z_jj(G+W=hw+u-tT-F#(}qq@4dy*Uqh<_gId>IPq)5>twC599GTq8tg^1%NS4V{~2j zIH2Mj0SY9s!?_>y!AC&lGdwI7aG|3l*#QAjR`XW!8L$nY5=a4LRPmqS+!rd-j&Mv2 z;vDg-zgA7g5@8sH2StQoS%|p^=@MHP8}Sb8HVH1NpwV&xr0O_GH@xZ8hv6*QDU5l~NO|qOzQs^H5S%R?V4~BP-SQG-Aj2Xs9fv zJ+!MMo`ENdulOTx{K_WxbVen&Xsdzh|G_$brRnSjx7`s<10Hfg1$%l0rGXZ6wMiH9 z(pMHFj{!7wvHjhkudGr>mzN*1lBX;F*doF50MV48W`071tRLFr8))ar4Nct;efPx<@t4lS71; z4?k)Z9XV-_ouN^jbHSOT_@_&8O~~VaOk$yQ`EF2G)Ae=D2B)moFIh#%6i~End&;(430L7%k6heU)v;z`nT5*ttRnk z9+VK5)+H}CZlKsPJtUD3mw6)Q+!+TqdmK+{S$QaG^gL58e||m?<0$B3T6{{EPOlE8 zfVS%_POH7(V;WH#AvcCJ9>8rRX618wkq>f~jcPi?b42Z$_+5@?KYn#$55NnPH$1?u zO}^*HpDwR^m}KiUcgYQKyW@E98kx?Cnwol6BMa(u#AQtMcRUffM5<*L90V)`vEMCs z4iQ+=7@Z`@JOGzXN@wZm57me(H{AJaFW4Q}Ls3MI`s9!)BwXM^*<8JL6&EaIzQroe z{8_wg@;Ln(%nHYrLu7Gi31-zuf+C)=+MsB^hrY}S_Pk(uApXvg!M=|pN~w#L7Lv8Z zV5Sw;*$+PDA$pdiys-Rt@Ie#Q8!LmetNzXDUU2r;i>tk0a1H-~%gXVlY%6%JGCg^g zjhk4Mi?z^p@+P@KX_s8j0!qP+BR^R=i&)V%CeSLIsCAR`yxgg^=8@l0z}e(z`skSl zbb-M&FA=>n-HE;W!&WfY9Z$1jWz11S32ywuG*ecH!UJUo@cAM#&d0)$F4%Gi zz6v&ZtWXC~t_eS^;nBb7!zQKk0kyDV|E1AR(5*jF597bbN zCly`$uNZ>BYswb;SoB%33|+AFX_1s!Km`==SNzCuu8&6jX+mKfc4K&v1MG4N>neUC zY0MwXDmOfz5{yg|%*Nm8ylAMZB+FUw4x8EVOf04*J=^PTl0R2xAK`N2M3vLv<(Ktr zCg=v?9_R+|UQj))t)8ubo+MS3r}b>eq%7_8<=&dtrQNU!ZaClc+S^v5H(^RYUuR`? z#%U>k%8B0CWOs1%Z4jeUix?5R5juhE8!vdB#h6_JP+d8$w16ntwk`=t#0xf3sJe6l zlp{2HfGwMBO(QnPo_yD%FF_Tqonq7eA; z$QsD}+I-*GqcZ_WKf?w`DU3`K~Aeh{xYqWIo;M6;L(n>^Vp+X^z9+=$K#vIiowG?Ift zReUaTmOOzQpn1fUEV*u9v&gn$%qAV8G1g2@_;horA}qKS@UV&`xcGP)lv!OkY7Ttk z5jiq#J#}*FTCfg^Nri}^6$Y}4x=%$yH8Gw+&=&24VVTTiER!^Z@Z%vG?F;{{4QZ+l`K#&%EtQHEF%L+5n!ow ziKXrsg#WBcbOUTM0|=)9)9`v-as!+0_yG+YoO39zkt(rS#<-eB^WY((L2yK2gZI9r z$g!E#N8~^Newv^tbQq`S&YbSI-R1Bp!!Y7YL?-Cms`vbbV5H5^=xe~wV8y_8!q8^Q z9$`4fx&eHSDZvt>#Eq*Nk#9Z9%{M@d(;;|RVQ>&+b)|lc)2a}?tkBhCXd#9d%I1b* zzODGOnU7y64Ks>Br4il0%%jA61G6jccis!G;XSA=zJ~(qGi8~Ps8IxW%fV$cq0XUD z6HIe83g(E*3a$@~j7V~WFpu)+X4fC-*ppd$Uondk*4R><*-WF~W_fV<;>D61?6S`F zZFjlzN0zW^$r7q4XFFj8*XjUAE^!0L_Zc_}F0f|Jvl{R1M5OVrTy=w8O;{*>`~r8t z?ZuSMboxJ|A|rpHA}hE8Rd+e_M?m%K!nKn??x&ke3I|Dj2E0uOXE;-_t!T2DP3QEW zQPe9ndYaam3R9G>4lsi_&$Q8_<&lQnf$e=EhDMPf_sasUE&?c5n{Vb^#3NrHfl-hEoK+E z9<84?DFa5LvTKtVci12d7tk5#9@(3tHI^6&S6w0Wvv(DQhcE211`GDwAT+O zAog8xQim^WvH|^Y1~C}+JrpRn=Lkj~aR8{+yN=~7SwaRqx0)nQMB6%Bizu7dD$^>YpS}RC9ct!1p!3+>TA{Tmw8rcN;v2b!HRBhb?6Z@P}ap* zjG`b{*F6%mT*MQU5pQNHu|BCZkwDAXldK?A`PmV9cxaO$AZUFpJaU9MFKL4%gDC0n zGMh!J!fck6RWQbZ*O4hA&cnI0B%8#M9)w7w)$6V1tPX9m45#v0=jXc+X_(EDISrQ# z%}!KDpzNMj&~Vy&h*o#zt~H7r!AbqNRO|u2sthe`!Ft+K(_6E(khDo5v>{p6WiCCP zyJ-H970wpO?g@hii%1$&1&&)ck+{MZq$SENN?WTPdU$A)7dWlU3LaQ(>)yFx;lJJR zFFibM{(;|x~gjtba}>a{=_VkC7~^ges|k~dnx0*=ihNRwson5L}3 zNKTc*%7AE*CIrKevd}UmYqAl_z4QUjHfacn-lpAbD(=yC)NMpqmZo(D-|m=*Wu8^< z->Qr}da`xC59HZoC>GXDwjwSCk8e|sVAvg#@pKrj2jADt_I=>fCf~6VpKEt_N3iUU z_OJ#^Fb_uLD_x@R1C=((kq^>VG!sbrS1u(b;p{tyV3V>Dd0u1?KC`2l6-AWbFfMin z*L&V7yVELBrUyHoW*bu znFhjGhHkek7Gs%uGKeU3l?&L2Qsx1UqYyaM0RJkmnWrEt<~RfvV%>mLVqcNQD zPL*ii+Q9wDCO>o0-nGnqo%Sv_*gWcvsaf8^dB{opYZTmPNzEDZ_$y}FNGpeLTlSGv z)`oYO1neFf500~xN8QmlPt8*1rn$C0H+f`}jd=>v=vm$X(0rn1 z{sT0)AvQUdo4CB2lXusH?Li7_tBEP-f^VX!=*TC=#f*@;lB*tTsowrw;v8k^rq``mrr`<@sX}~$?{onbNwtco_7(#hMp?zQ!bL!0 z_cL^P9z))^FYjC#eCC*7G>;uoUz;J201xHpHgFLdpZ>6ZayoMQab*LsOx-^v=)7jA ze`80i4x!S44JeyoZ=gdq(YJ}vL@L|GwP(B z#vaUvI}b7jw%*ZS3q@JtYx*uxIzDXma2oV*BU&yiWim*{Sq_4DB-c5fX&^3t&FB7I ze=uM=gIppaG<6bbqA<}S!g(IvmT0txXIR`mfjDLP$dcyZotF9X-~cT2sH<=!t_Ja0 zmQaHhp#0TkQdOT&OVPoTh#WVgYMettZrw&iCy(smiiS93ibo%w)RQsJYdg-I>Pq58 zC(#uyaOY4FGY#k=i}i4XDCR7spih|1yJnxe_Q4;J=6pdPm4D@R+a_T zHqqeH1>-T&kNHt7t87g6RRw<1dPof9Xc+Q?rJ6Po4eIBJY9-)B^Hr)~>SWCwAhY(> z5Hn(>xgaOLbU4J5)L}p`tsCeth_Dt(kiOK%RM)CL!%@?jMi}YTsOx9l9ws~H1H8*k zFFb|(Cc2^27{{@Aj z-2#U#uN9u4b_krsVXTSur&KGaMxBoH02J3=(Q#=3{zZNtqqvxK*F*7xDI`e6(XvX` zlGNkXC_#!v_YA}wa~LbLrXsHI_=w|Iq{O-cV0iQm0To~(Us(v{P)Mj`Z;Mo);VIuE#XjLZ|#i1pm!`q}!8D5wcaR3^}O za9#{R*}amy;H`?q{Lk!SmL*d$J;96v>tEuxQO8F{z3Lrr-nz7_Zqb%UZ!&A6wDq}O ziSIYZQJ-5!?^08#b0e*MD7w^qg~6?|p`Pm%xtc|NYLZ_?U6RTNx_EmFo=eqU_&--& zGTn4^qd4yWNODO9HfBCvS3|6L$$YU~1Hu9PgG}nJ=6YxglDlcb-daR*(E3~-E3yFC zD(&*YU=uHGgtHH-F{h%2pi__j@8pcmeSoKvv*YMv=3sL*>X1l{q4ZlmVtnu+;`+ zg^oQ^sBhd!ay9|XWctp3$C9vt)`>K9yGVY1Y;3qI}nWg+MH; zGY6&YwA({#Iq zzK^@L8!NoyE+UyZePj-H7&Il8wPsfOi67pkwsFf1P9!z%8`eevWLGLh7>xP19&J&A zlbGpX4UD*0wmjJ;_U`ba#k2sTI^{u7B}JF^H99lQI6V0Va#ry$UkuSiJNJRqkmHIn zWcs48_!c?=8)04*!^~Fx!MlZ)uLiN5O=DEiayn5lWf56>q}JJ`$5hs!aE&J*`<&FJ z%xi7?6@0VLIl76JFOpbi>ME*k+V!xvCxq0e!&+fEc#Fv}(Va$blGDAPnWN9bw!u7O z)3YhI<$qjxA}J@nd@X|KUSI7%7svete(BZHmH8SbUGSN>Sg%UaI1!-?_44e=uBipR zXd$F%^vD1u`e1eZl!wUF#fARSg*HaP3q<#)qVC(IC-XCWJ8MM_rWfUFRb_>~%bo5= zqm23rsh64=_fQ_XHq*Yw7s)k(8p>yglb5e@e@}+#0-OwUL-XmU{46j~ojNKIBH&~g zYkhMYC1dL^R)F(iexC_5s%;sGJ>>L)NATt=2Qo^RRa$=6lex9%MpLE!x#b&fCqwH^ zT>odR2=R#Y@Xfc35*z#8=;lHjd9YN3tYkv^mQxO{nueWom+tjveEgpBQZL)VQY^QH{Y=_cn9qS#9FCmB)zK{ghrAc_F^SpCS z>v?zZE;fm4&*m-dZ-uIrK_9vwy;awqte3597w+nDAHU6heY#sOOb@kDWxm(+%5L4k zb2*z&#d_3j)UREuxUvB+{k7fG<6ireco(!_A+XK=&17u>rQt?#z48ptCBJ&kCUcUi zlC2be;L&*akf&hm=&Sd`YU$%cM`STqQ#kcuoK$4Y4^4gOFxmt*#sP${U6rypp;^!Xsi8C)6QA5id{Q3#D z@7a1e{uxnRWOoPIy=>!meQloGp47P`7jq|%j#X0hV|mpU7xSAQ-Gx;AMtC|B_PmFl zqslXzo|d^^&dRQ>FOud=w)1B}=eFMM?vI_Nf@@##zdk$xo`$`SV)y1Ht4Xa`N9RuX z(9!fj*M>_{qZ1CIV+~)z;mNjwiZYj95<-<7au#Lf_COc-xH5JOU-GcEcm6t-sQa27 z{(`xK9yM0_5&Xd==vL*9bSj(Pv(~%i@u98d$=n6IVYfvp)p3@$ogVk_mS=UY(k0b7 z5}sb*;`k;KcHH>-O5VinS`wEEhi55I-XeZ z7B`Ruk;%UB^I87O*Otf*o%OY|1n~X|_>*Hb@cO62n$Dxhm(Ex8#ve|vbhwen##k+F z*m7;`mCqNHr+2cV4_hX#7keYTo{*oz@YW-Cq~+yJQ)Raz_k?v!gr89CAn!Tn@4jKW zwwxtyd%_0sZX!U-B1lwze=^~3if^Z-3#OHVyW^vWfk9x{!L) zuIg>JnJbIKW_LYrhkY|bXZtgexSXv6BN6)kR_FfOZiQLD)(r8{rQN{`kU|iD(<(!%8YLhzs8Q|E=Vq}MUqK%DkCB;y`Upgr)4wXE@(>K zlZfRUHiC*xQ?k)M(c9Upt$4jf3C!KQ=Diqk`k&s6snYwjxUD|2^a8O};-A^RJty^7 z@5A5#>yBqH-Zc=qJ?bMqLMc88TTW?t!pg=h@3%Pc7MOm=amieWnH{y&S?~SA{9JCEw4(dBFGvV9|nLm81|yW$@pMqYf^jBj6o3yqnj(h)Oco^T#T@PqP-5 zEo~Tn;ZwflqM${$uXxgUk%Z7^ZYDh{@JP|-V?1Lx< zO`UEEDOn^kGpMVCfCqgPGHIyDY@Sk~c(7!4&@M5Mec=yC>Cw~d+cVD;qrAG^Nw*hB zdobb{K{Pj$p+t&-{7m5H zkwGctq>-Y@<*5GZrrPOyczTss~Rf!{q_VMH&))oDevu)LqiBZbueq zn7jaM$?jW%&07kt0DF9n!fBw1-o!(qi|GZi54ae1v)F=7$?;V$|B0si6TR{~nneGE zLJO^c*47^<0jZ91i!q_th(aGlO)CEy#m{%9JN~VXkxAY7@R^SbZ|lk^OdN=Q+e?I& zG(&fQ9RrusJHiN)FqaRPmYhOm&^q>1G0{P1P|!+mI$3W1WI7R6_#qc1D*~u8AxtsG zcy~Y0^FtdZ_&?0Um$NAn`20LCGa2b_{NTc90G@@FNsLwvV5OKL>F2*65iLP*!h_OR5yNnV zk<~nQ(QScNX0%e;Ad0UavW*mmi;9$!&@VBcKTCn&3g`@X_H-Q}UZS$QQpgoT{xIK^ zpCjBMWc@PUiU@`xonthJ#4bV+)tf^_{X}7u28h$*`V-gxC+_|~aXa#>fH;*$j3N?{ zFhXP0GY;SZYam?5Ll-R#6CH$0%+~+JjsA&ia{H5SUw-C2?to9t0Hp~PO{ip?m>J3_ z`BP2;M`_s}fDBRi-(=KW{~;p-4|8PFP68{|JlyhHuvRxV2h(SByh5O;iyMC?On2V4 zf>_48NKOCXVt@Mwm+?QiaC(&WEUgSM4NEp4HI?kQCc|wM5hH+4__3S20Y0nz{~LyF z_~S~bDT**!Aw5LP{?oj~WH&p#A0pYPu4UIa0Ka#YDU9R6y{oKqNznIQWu}o%>>h?? zBvheATwij*AkQe1%8U=)xIA){8r)yk$ejP5b)F0@S?a3s_LC(`=cw?jU&LvpU)=DZ z!6-o-#UmRl^M1{w{On)*$4nd^f6QbG4}K&zxCnEs{s$h65#wYYgVo)^A2qN!3O-Ym z0^C<7hDWIDTN?!86GKhgApw3irvBe)!oSZ z|5@tu(2`)9H}=`m)zmkm?WU!s^CADCDgVfTlnp;w`gBpA|66zmGqwQ1y8r}l#a;O; z-n5gLQagOE97apRX+rMM%b;PD;Qb2le~2~!QJp27dusC}ym}O@FCC#%!VS3F^<#k) zd8eXLw{eNT_a-9YZ%Q@-X%gN&%^5&b@oq8;=!aE9uk*c?H*cxb%v%?E-kFPwr=Zj# zQOucrCLTD?n2RPiXTr}xiU+g^QP&}8 zZ8Q6O{U%A5kk#w-OjMa4w<~*Wnw~((52nY`2Y26DaFl47c ze}l#qB7kE-MiEl)@xMs{v7>a|PD*4YK5QHOu?*$T2-vvfePhP=jiqJ!F*FlmW#)HD zi1o~ertOcVrj6w>Nn+MQ)A-Y}&_RL4D{ZDedpTRjtXx9WJZj=j!49ywlp6`;WErOH5cq$2uciK(sv!I8)6~^)Xm}Zr*7}- z)(|M~L&rca@pBC9`US=&$f+pz)K;qRDL6htxK=%BGN@#QGR;qB$?En=QB$ucHsWDzpxQQ9QfGJ8DBDsuH& zDC2)p{Xnak5Kh`AN2c39ED>{DRGZUn7ntu_3=QWGENNF8kh9q>a6m>OCElHIBvPn>n)nledvLFd!V}3ZnY1(O-;O|3)FuvCy z*_^B$0jR+MRhG~+MzTx2O~{xlNv;xaZamH)?rLWWgcAGmH0w@m?9AgQBG$b9fU*0{_Q=p7o*zZ18$4&}3q%ROk)8kYI zz&Mw3fTW4k2$`BTinrDh@E4sfjGb%JH0pjcq~gN-#PwdBM68n65jTRkq%nz9aWo2> zvCy_tq#iMMR|a_VC|)Qsis5@NfaRYN-k0wg9ae2@(kv)0D)^Rrj0Te%9!d zRCd9DRSQW4RJ`Uog92au6EeYK0jUPo#BX8DS&dsa-V?zWIeCig)%Z3)H4Ec6_06eE z_15pyPfCS=fK_Rs68J+57=t0jCJJx}K&5Qumwf)s=8=sFZ#96;#Zl5BrxoTHBg}!O zqSSkNxLFHB_FPuv>kxzDqd#hDHpHD<#gOz&hON8Q!!4K1ArW-P44a%aPYxXZ4MB1W zm*`agJMRFzx>x{sjSwm8>;esy))dr{iVlE)N}!6q|uRFUiq6N6hc=#rI`= zXdbm8Q=}5n>s0tzc4~6_m{i~z{7D_5YeWb~Xj~Y$x{NZH41q-ayD|F5N2HLElUhbM za5-$yge?=NJAHKM-kZej*jz7~kwzv62xFFDIhWC*Moa8;BQXif{CBOc{?_Wd9Eha= z?U9ujj`I7WH7niZvrrwP(lX>SMfSRH;{crXmy5memv?9Jmr3~{2XiGB`xV0`fJ2QB z5g_k!vRfV6CAaL6Q}q9*;#11Z0#{Ess}N&>aX84a`jSMD)+s!*koE#?Xz03-#D8FD zNp49mq+IiGsiU!{0L2WaueBT85EGx3?DvmWPz!I{IAU_al67~n{w*@xv!c`6YQ_Sk zyKmDmadtGJ7Ey^BbxLGX$2C@kSeksgdw7eKhETrm^QAfUhoB=sWGY7aWud@o1jf>b z{=kNk?&8Z*ao@WX|Iv>o3yO%tMPr><7u3zQu2mwQc`dH| zE*Fw6VKNfFhYMlAkp+!G%LEoSNgoU%_S)}pSJS!Gh9TeDiqX-QFZ>SY`(TfbC; zx>#s*?u$p49$RU5L8ErG;$aWv6nN@=W1p;)Xof zgYr_}t$(c>VN}K?{SeTOM|u$dbkX&A>g3<8;dZ+nds94ztaX*6Ikv-Aa}## z+q!}>X6Yg?DIu%$pc_qicVQPa`1#;SM^SXg#`;gaCvjf&1vJZ%^`AVB-Duk#=&II= zNRBNC{=E*|?aNDAfY>rf-KF1h9rIOqTIkY9**u%|^*;h%V&OE|u#soPrp!C+Y zKYe!ti3rKppHmopjPTR>2ezqqiu;E0S>QSHmBpzr?e<{ZXK2YU98%WhC;w>_aF|(3 zc|LmxJoI(OLUb|LJlKzfq5o#bwNg>0&Gxip2>lB<+#kcT$@VVbsTNX>92%-SN1F4Oj(_%YJr^gTMYkv z;dz(rndA`S82-WZdjkw2X%UWz?{ElO;>pof1AO5uDn%>Q*?h}7lI;t2>ccJy$4niY@;T&hpN9Z-sKo3jQG=M-5Y14T=`rmIg=$nNzvVy@ zN2OWvf9ABNb#TT+7L3$r5hazU2!JZV?*Vr-&iO&_{ja?=Z)z`5%4bS%b)-PqseEs{ z%L@`LnQa@=f2)jf3*dB50IsE8Dyf`!d{ONxzIGrYxGe5cv4(?Vrk2#>e{)^})JRKc zc?AP|(9gNehIrtR|FK*4I*rkwz9MGgU(2ke`JZ7yz!wTB3~9g0w6ZdmOmnl*?-~0) zpsuQO{T>|cSuK^U;W|WAm{ZHPHBRMp3%B%i8-I6M9kGp(4yi9KV(em@cnnAy*)XmBySDz|2Qim-7Dm|TZ|RVq&G>CA5yUbTTk4~sMIF`4YVn@`(QU+gql#wg zd8~tRmm2m9{PwsE4BwVaC<)ax8ULcT{XTCmJ{2MnMO{5cp+Xbrv(VC{c6$~1E<#WK zt?c(+Zer1ShCMs=YUa~EF=hg`;YEdXNM()#fBC!zc)*!Nw#EcCR+m<9V_7GeNDO7X z?fU0v>ha~@Aq1eaJpEIFN|oPC2j7V$Vh4}L2Dz-W+aSvf?!U_#RxGL@m9W&{N>FYP zwf-=c4O9IiVsBgcuQYJq0c+M_XD@dus!XYY7EA}vM*cuk_ExL0fBF~x->Vez@?Mg7 zblq5kn+niM9T*%EQy2oY%JBpLJA>W}3-3amGKDfxJ1?$>M?u7;^8A>O?lm}iM)7+$ z4B`ah)!$cB)ajN($b%YO#9%=@HT7$f568d6yZ>>67c_xMQNpBol<9`lb&E_ zeSrvqi1Sz^B6sYMoWJu7kn(QM{meWD^w7@hS8P448UBazY}MBtp{Yj+oj)_kATUv} zU(*2gf!Zctw%i@VGdd?%m~^tmNREc|;+W;uCSCJU=YoF}4S6pqGPsd+FNxP6`$z*1 z_c~i+pK<`GY@@^3b+CBM$8rM2ay^!9BCu22fW6l(UNAGJU_ zm`DCL`YJ`=OZhBXki|B4g>i} zHp-YuiC|0dC6t?xV*m`!+`2EeXL*FR(u+zmG3ong(5ZLjJ%PzPGN#bI*w8->iX#-& zTPDEOC558+wI&!GK2jD$2albxoTGwkyc4HLuqL;GhD=t-R@1;Bo~cm;QYep_Ull}D zE_=m#y-v*&y!5VwWRQz*AQw+dI%)pUAb~g4auUaIPhk5Td9!|EbuuZQmG?v@{{PJy zSeSwcv$Ml3#3m169yo_kWoYNHEF1jtj{^VGEAwZYG^D0a$gS;qzA_ zPxOh5*=m~_x-O}z|6~H?;2k?t=tn7WFx+VIpgq1$6vw81cHDxP<2pKqzYh7&LXQzp zQPNJ98#qbws60dG1d63GHPDoc-i{o;KM-HPGZs=vh~#wcR+i4*zwc_|8&y1;(P|(6 z!{)YqqMnj+5YNp8ks+h7CX_K}`te<#SNe1pU5p^D-=2AE@gkB#q8k{lP{cqF^;WD*Dq8_P&Yh0E|$hyAp2f=3t zbhY{rwEt^aeIJVeAEb3S9uB7%GDP>Z7vcA~u_|2McRhYG;Z!781t8XvrJWcHw&v8< zbJHiXyUBOKa#s<^9l~Ma{tskg??lZQA5{yRF_Q=Ts|cPy8aiGcYpYh#pXU6viX&h! zjQTO#6AiM=BLx+$YFr_Tq{nzbl?S`Ug#1;|GyqpSQ+#(jP=@iqub>UIePaqgB%HNw?nm zTPw7_zCPH#L7jiydQ!d!(sj^G(Zzk1m%Qz`yV#cHeY+n?Rogf0(MsQE(bo~%uWzYe8q|y0FCu}I&IW#r1?5hosM9TlxJZf zMpNIcxmvE$ILlgWB#u*VO+wEhW)YHM=!f?-1QkNyUD(SN(vlO{$r<#>egTp?0c@$5 zh6jP-ogydNvot;GGpOqYId}srpo}58d&J(rI0xEG+N1R=qo2LY+93o~w>!h;tSX{x zWo^a##5R;Sc%Z9dfFFvuw&mclRHz3uYQWJJ1zgq3SZq{s%WnCj)UgD!q$(Xvt|9Y? zvYGG|Wqppi7^`Vh*Wg zCSW5ttQP{rnD`y@O*MeU-+omeIa3=Lx|gkX=j%8x@($0G*KMrmUPLf8xi6RNjD&_> zA2Bu$5YK$l?u4?Zmg_y}f~aHJW)bm1`gtZCT&wQwKnl1}gzuWyuZd#8J0}mC%nN^$ zHoFt?abT%L^ND^$-<7xYmHG8t_D;SS7sSI6l(Na{W@#X(!jDi7F3TH>Ka%9R( zMYe-8bS=l*^m)f;T>8I%JD&5AH;h#4Y=N*ChdhBeKqx@_3g%mcxX2UxeQZ@@Jv)Vm zh(L2TnLSL=fPm{hQxnwbgDl@H8FH*!?QkDF zv4sqK@{;1#ub+Jf@Jc{cc%6s_f_xIr8O^sC;Zr&R8vhx5v0~2;G z?mlssni?~7^`xmcbAX?|2)V0-Q>4Ik66lEe?Xg^V&2dP#-h-Lr;u_>)`w~7xd#0zL zQ7C05Po`@@^xMJZG0$XR?Km=Ris8Es8(Do8gWX|QO z4={6Y*anT%daTLgi?*J#m6H3`mXNFte?oq%hi5=amP zDN|cZN$&X$<}YfWkY%J967o3+-1~+^gEZtO%F;825z?{XQ}X>QB%}{q_drQ%8tWHU zpzBF1cPTj$-NFUHKz0dvZohxHcvvc51bb)**5Znbo^w!JcRIRxfU)Lvbqs?q`1;E6 z*)E-uRLB2rbkx?7;{&pjv89N&WR;i$p6-(1$}sq4bn^i`ighA0*&w(pB^Ua#DQCcL zZ}KjyP(pfk5F>&mJe)3LbaaW5j2_*Wt_;Ce*VjHq<|SIJwB{lL6n{T!cs zNiw%lx3fFi6L)gfX=SHhoO29)o%cr(sjWXH?{j;y4tZl_dGjCUsN1Rt%ev&n?CUsO4Vb$ zLEHX9J5GR86~JWlA~&j?{89&Rp?DQbNTCqO={KTDpHh!_?!DE>5&df$!@-Pu5Zy$;P97G z;4^48v0peey3ggY*FdPHoeN-px0uF$ZXf9wjIPZC5Zk*nQ3wF|vxj+b@Ulu|&QiIFw$%yZGE)*$n}zk-o=YK>n%ZlEAIR z7K#T&22v>;{X4S{OjVW{Mu$b*fGi{(pKI6RQ^Q~UR zDX+`ZhVmCOtFWdW;l;(C+O&}fk|r$o?tFfK8C@c@6LOnK*sv(3)qyyPQ^OfALzzCiWJU752&q4EGLKJD^zTqzW!Q z=opRu)FItJcHE+r?5C-0`=-`jL(MaKkVu_7#WRiI*hhK=*XDYNzhP zadxnvlL1d*8-S}mm}(N6o%CnMlgxR6gnA1cnngmRT_KJ!7RqFB4lrS zg0E1o`6>_l5)r$y&M~BzY}l6%7b#x;N7AaZ_!P{VQ{Kw?7HeYxT*Db}A_D41_O^IC z(M<)|5c!8nc%>txr}u_afuZra)p@-u3ut#%UWWb)%ur<`^YWjFGD zYBz&+l5k;}e$`tcPdkk(nReA*y&iVM(CJnaynR~cmF1H|H=bC;tEG~Lr$g7CoC}Ub zZS3W4he{?zgn@_NK2N<#@qHMlrAi|92jZP zbegACbUn!f*}gya&h=M)2{0WqQ>mWRP5v_CE>D9&UknzboN?sG7IkN2L_Q(cKOaL z$09Z7Di0h8D?uc4bdggZpYJTbja}JF(%2#M>n=Tof5PzCV|uxo z&C7foRLipDeJtfQJD=VjqmEosY`w&2g&qg8Fzvk$Ru}aAaiM;9B>JQFsCynMWVLgbH zs}Uiv#%MjBj~IMz-VXfW@IXezf|CTT3T|LmK!Tf9>YV46RJX@ zqKU{R(cfor&o~h>1nYy)XlOnhP7K~WkXz-hL_Vn8jJk0>fYM4PIBB=s z)=D-SXu`}C;6&x#C&CQngyT8#5PV3SV~KXC*j?}2B=M=v3Mj`@*7~x$!B#EUR-I&N zmD+Aw97&uceprH4b5`Jo&>@BySz!s;*Zb;wfB(}s+17`PM#9+xbtwE!_!^gDf5O0u z4S0?R-W)FAl%|b3)Y}e(3<|toH=I3DYliEL2-`YX9y`pqD|CJP=hrUSM!=-60lo_x zQR$|F=U75lSV}%a_>1jEX6N1Sl?5KyvM5 zjg!G{xTZSw0C@}%^LivuF)=Y=v@%Bay;cA>-UbiAlYyruA4#2yUBkm+O};2Ojg|i+!$#CgzPMj2rl>{(9jaTDyI91dY2a;X)e@N^_x-1%`06#br zG4=_-y0WU3S9Sk>0cTrhsF|-pGAFipVOKo-pQKOcp%Vpu5_~u_yqP6`OF&qhv@uU^h9; z10>^3IHurZZ=uG zv_8RXp?_jhz!HFh&YsX;_Fw^Pit-=f!)H<3r2U~~|3mAxtYzdv`==r#t&q_A#19V+ ze)*M;_&q(itZruOjNWW^i=gL>(>5+}l`Rpc^+;cxtp;A$aqlQESI_8QrMTSKK+%;P z5xoLoffZ%ca3<_GwTpJ(Jo9XJIb-cF(SDxQZ(yv% z3RYGX-vYeRPn zv~9V6(q_)fgT370CkgafQ7%w)jL~eoB@BAp4~$BW8=Lesj~5D@QEx)TZ)b%%i$pD? zg&7VSYRjpw?6A?;JlXDwLm6uZ1HXlr{(C);!+2e`v0-%4zGh}$=K|}Aik0d9aeb!S zpeME^zk9omWMnv{%twz*)JgjX)OHSy1@HyBTq8q_Bm0s9&Y2kd$#bN+}tobTdZ*R+5@!= zW{+}dvZ@uTUtRDRpTb+m?}vbVGHK-nL8*tomybRbQ{Kid$<#*CIdC>Svkazn@_(~3 z5@+@f$$bwVDd_ z9L7kA#`=8pr^H**WhAn746KZuNwQ&t@tPm;I4k$Q<`+MI7gsdu7H98Q!UoCQ>RAsv zB!~j0VMOwAC{`sT%*trpgy5LU2KCzjY$*7$z5;liH((jS&3)&@ zZn0+#kmNC#FG{+^3GBo5fWJa0oe+DrdY(xqD!4WgCBKf!%#YZI#3K8M$;G!fRB?@x zGZgXEC3^GcBs=iu{P;o8m9ga~bT=|!vp+Ki5gtkL)_%rMA}r%3-e}WOvwE-7e6%&1tt!SS;x#S+ zj-~0I{zTG{aIm~!5$kV~tNm5;YwqJ_Rd{wl?#bwiU zvX(n*Jjk-UZfFb?{cvoHJpi=PB)ei8fjw3LSGCq|-U#?!Y3;9y5C@Od^ONg%tl?eN zw<Rcij+cO?K#lrRnxzj6^9zY_>8qD8VOtwXV96N|pQ6R7ZFZ_Ki6O6r!K^UZj( zRnB|R%=cOrZ5}un>{57|*I1v&clA2E?fP1ln*3#EIq&PDV%}FyR=6IPD_jxhd{a-8 z$n3WyJ9jVd3$Oiv7<-D(4K~PMbPZ*S;>`zRcVMzA$;pKj^Q&7qh?=eCnDmOkb(FtV zTW=K15?FB+d?@f4#hm)!LogLAmVl5<8lp<5Sgo)?i?9WlR3ef}GR<@s@Pi(&fMC#d7t#RPV5z3a2L`=~ZbxJ? z;SUrUI{_?VU-hz)r!?8@QnWq9e5oVSSeCFSsJM#v!l!X?YFa1Tw9LE z)mjQOs=gq=-+#>H$l@SKIs5F%*1LTw|1$_o3T^<84E=*cTl-`X;6~IZBoHtpPy<6( zzTViDb8#9s=T%hC^}_X{LR_Rg!eV1xA73K`t zEg(14U-!1%Y2!FShAPecYz}c_e#CC<+O+yee%%wd6BPm_aVK|x&KFWWitU|XS_7*a zu&5Ja*2zh4#dkrXyT8AIu0t%C5a>QTJPEi?u8%FELXNIjWv5$YNQakF0)j?Lox1Zu zNe>t;Gw!_V(BEQ;^A*c9Q)cvJtD|V3ztj}54Mm{AE;6&D{q;E^E;NL%3E{+zC}ox= zd)62I&>YP~IgsXrIuHCsZd2l>;noR`qKo1vDE7PR1|6AzU%HQ21d3avVD?2zpgnWP zV&poHSi_#u8x*H!@~9>4Fl-++_ycaSU5rShPXbD!KE9cTH+LI4(#e?0w2n!#tpqIy zTKM+QO+7U@2~W(WpQyVlB<}Ka*Cb)#$yGiL;28mIR4JUY8FJGi%V4auTJD&X%tHLAono-+N4r&Z%SBg?d@)5pN4QW6vTCls?9#3Fc3LCVA? zSvek@_IG0W=OlA)o;lo{@`_z$bohIxIUej0Rcm6>JiCG$!CHof23D-?FH_SzOLQy3 zM4rk>$aQC{XwqVJNk}^Q5_m!*fQ0`-ua}$^X8Y zzu(d7b8Sj+Ha3vE-`Nl_cNc7!Dy4HOa*qomeY>w3Q{pq%9FD(U*)gz5DTInKA1