Azure · v-atulyadav · Sep 24, 2024 · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024
@@ -530,5 +530,93 @@
 	"df292d06-f348-41ad-b780-0abb5acfe9ab",
     "b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8",
     "13424be6-aed7-448b-afe5-c03d8b29b4fe",
-	"04384937-e927-4595-8f3c-89ff58ed231f"
+	"04384937-e927-4595-8f3c-89ff58ed231f",
+	"518e6938-10ef-4165-af19-82f1287141bc",
+	"b6392f39-a1f4-4ec8-8689-4cb9d28c295a",
+	"16eda414-1550-4cdc-8512-0769901d3f05",
+	"7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422",
+	"5971f2e7-1bb2-4170-aa7a-577ed8a45c72",
+	"ba1a91ad-1f99-4386-b191-06a76ef213f8",
+	"bc2d8214-afb6-4876-b210-25b69325b9b2",
+	"712ffdd8-ddce-4372-85dd-063029b418cf",
+	"deb4b2c6-c10e-4044-8cf4-84243e40db73",
+	"81ede5df-2ec3-40a5-9dff-1fe6a841079d",
+	"63c799bc-7567-4e4d-97be-e143fcfaa333",
+	"92b76a34-502e-4a53-93ec-9fc37c3b358c",
+	"8e9a96dd-f85d-4f5e-a65f-dcc55d6d9935",
+	"e6259b03-622e-4e11-9c54-94987dad7c14",
+	"fb46ca1b-0b46-4d9c-b3b3-2f8f807e9f72",
+	"57f95ba7-938d-4a76-b411-c01034c0d167",
+	"0da830c3-5d0e-4b98-bfa1-d5131a8d0ebe",
+	"54569b06-47fc-41ae-9b00-f7d9b61337b6",
+	"430a9c0d-f3ce-46a3-a994-92b3ada0d1b2",
+	"b95994d1-1008-4c42-a74f-9f2967e39ed6",
+	"f840db5b-87c9-43c8-a8c3-5b6b83838cd4",
+	"a96c1571-1f7d-48dc-8287-7df5a5f0d987",
+	"2c6e7f75-d83c-4344-afdc-83335fe550e6",
+	"1c51e10e-7f77-40bc-bd37-6aa55cdf94d6",
+	"da7b973a-0045-4fd6-9161-269369336d24",
+	"6b478186-da3b-4d71-beaa-aa5b42908499",
+	"da932998-81dd-4be4-963c-f4890cb4192e",
+	"b2beec6a-2c1c-4319-a191-e70c2ee42857",
+	"12225f50-9d41-4b78-8269-cc127d98654c",
+	"cadf6e78-2a9a-4fb5-b788-30a592d699d3",
+	"95b0c7ed-2853-4343-80a9-ab076cf31e51",
+	"439f817c-845c-4dda-a8d9-5c1f6831cee9",
+	"07c85687-6dee-4266-9345-1e34de85d989",
+	"23dbd58b-23ce-42ae-b4d1-0dfdd35871ea",
+	"a3619c75-a927-4dbb-91cc-9adc55e95bda",
+	"fd68706e-8e3e-4ccd-9230-1f267bdad4c8",
+	"c73ae295-d120-4f79-aaed-de005f766ad2",
+	"fe2cb53e-4eb3-4676-87c1-f80d2813f542",
+	"b1f797d1-6ea4-4f8f-b663-6c8a1c1018e9",
+	"cdac93ef-56c0-45bf-9e7f-9cbf0ad06808",
+	"9d59be10-54d9-478b-b669-fb4eb8517cd0",
+	"25150085-015a-4673-9b67-bc6ad9475500",
+	"9b086a51-e396-4718-90d7-f7b3646e6581",
+	"516046e8-a460-4f7b-86eb-421d3a9cdff1",
+	"594fe5a1-53b6-466b-86df-028366c3994e",
+	"706b711a-7622-40f1-9ebb-331d1a0ff697",
+	"f708c866-073a-4107-a60b-ba6f86e54caa",
+	"68aa199c-259b-4bb0-8e7a-8ed6f96c5525",
+	"8c852f12-499f-499b-afc1-25c50aa9b462",
+	"f6354c94-3a95-4235-8530-414f016a7bf6",
+	"dc7e1eb5-16f5-4ad5-96a1-794970f4b310",
+	"54d3455d-27e0-4ceb-99f9-375abd620151",
+	"8d298b5c-feca-4add-bd42-e43e0a317a88",
+	"3131d0ba-32c9-483e-a25c-82e26a07e116",
+	"a12cac64-ea6d-46d4-91a6-262b165fb9ad",
+	"9e8faa62-7222-48a5-a78f-ef2d22f866dc",
+	"6f96f6d7-d972-421e-a59f-6b9a8de81324",
+	"9f135aef-ad25-4df2-bdab-8399978a36a2",
+	"99713387-9d61-49eb-8edc-f51153d8bb01",
+	"6a570927-8638-4a6f-ac09-72a7d51ffa3c",
+	"cdc4da1c-64a1-4941-be59-1f5cc85481ab",
+	"b3180ac0-6d94-494a-8b8c-fcc84319ea6e",
+	"011c3d48-f6ca-405f-9763-66c7856ad2ba",
+	"e90345b3-439c-44e1-a85d-8ae84ad9c65b",
+	"71aeb41d-c85c-4569-bb08-6f1cd38bca49",
+	"1c390fd7-2668-4445-9b7d-055f3851be5f",
+	"2d2351ca-e9a6-4286-b445-a9268189c1dc",
+	"8c9bc29b-f32a-49fe-8fe8-450479f4130f",
+	"0bd33643-c517-48b1-8211-25a7fbd15a50",
+	"de480ca4-4095-4fef-b3e7-2a3f17f24e78",
+	"a8ccbf35-4c6d-4a8f-8c42-04fd9b000a27",
+	"27ee28e7-423b-48c9-a410-cbc6c8e21d25",
+	"e3b7b5c1-0e50-4dfb-b73a-c226636eaf58",
+	"9d6c8c17-06b0-4044-b18e-35eb3dfc5cf2",
+	"a1664330-810a-473b-b354-acbaa751a294",
+	"d24e9c4a-b72a-4a85-89cd-83760ae61155",
+	"3f007cdc-86bf-4657-9015-05101a3e54f5",
+	"efe27064-6d35-4720-b7f5-e0326695613d",
+	"bc46e331-3cb0-483d-9c90-989d2a59457f",
+	"03e61096-20d0-46eb-b8e0-a507dd00a19f",
+	"f075d4c4-cf76-4e5d-9c2d-9ed524286316",
+	"891f4865-75e5-4d40-bc24-ebf97da3ca9a",
+	"d823da0e-1334-4a66-8ff4-2c2c40d26295",
+	"08aff8c6-b983-43a3-be95-68a10c3d35e6",
+	"492f1ea1-37c3-410a-a2f2-4e4eae2ff7f9",
+	"c10b22a0-6021-46f9-bdaf-05bf2350a554"
+
+
 ]
@@ -1,27 +1,4 @@
 id: 518e6938-10ef-4165-af19-82f1287141bc
 name: ATP policy status check
 description: |
-  This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' in Microsoft Defender for Office 365.
-description-detailed: |
-  This query displays the configuration auditing for 'Safe Attachments for SharePoint, OneDrive, and Microsoft Teams' and 'Safe Documents' settings in Microsoft Defender for Office 365.
-  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
-requiredDataConnectors:
-  - connectorId: MicrosoftThreatProtection
-    dataTypes:
-      - CloudAppEvents
-tactics:
-  - DefenseEvasion
-relevantTechniques:
-  - T1562
-query: |
-  CloudAppEvents
-  | where Application == "Microsoft Exchange Online"
-  | where ActionType == "Set-AtpPolicyForO365"
-  | mv-expand ActivityObjects
-  | extend Name = tostring(ActivityObjects.Name)
-  | extend Value = tostring(ActivityObjects.Value)
-  | where Name in ("EnableATPForSPOTeamsODB", "EnableSafeDocs", "AllowSafeDocsOpen")
-  | extend packed = pack(Name, Value)
-  | summarize PackedInfo = make_bag(packed), ActionType = any(ActionType) by Timestamp, AccountDisplayName
-  | evaluate bag_unpack(PackedInfo)
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/ATP%20policy%20status%20check.yaml'
@@ -1,18 +1,4 @@
 id: b6392f39-a1f4-4ec8-8689-4cb9d28c295a
 name: JNLP-File-Attachment
 description: |
-  JNLP file extensions are an uncommon file type often used to deliver malware.
-description-detailed: |
-  JNLP file extensions are an uncommon file type often used to deliver malware.
-requiredDataConnectors:
-- connectorId: MicrosoftThreatProtection
-  dataTypes:
-  - EmailAttachmentInfo
-tactics:
-- InitialAccess
-relevantTechniques:
-  - T1566
-query: |
-  EmailAttachmentInfo
-  | where FileName endswith ".jnlp"
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/JNLP%20attachment.yaml'
@@ -1,23 +1,4 @@
 id: 16eda414-1550-4cdc-8512-0769901d3f05
 name: Safe Attachments detections
 description: |
-  This query provides insights on the detections done by Safe Attachment detections
-description-detailed: |
-  This query provides insights on the detections done by Safe Attachment detections.
-  Reference - https://learn.microsoft.com/en-us/defender-office-365/safe-attachments-about
-requiredDataConnectors:
-  - connectorId: MicrosoftThreatProtection
-    dataTypes:
-      - EmailEvents
-tactics:
-  - InitialAccess
-relevantTechniques:
-  - T1566
-query: |
-  EmailEvents
-  | where DetectionMethods != "" 
-  | extend detection= tostring(parse_json(DetectionMethods).Phish) 
-  | where detection has "File detonation reputation" or detection has "File detonation"
-  | summarize total=count() by bin(Timestamp, 1d) 
-  | order by Timestamp asc
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Attachment/Safe%20attachment%20detection.yaml'
@@ -1,23 +1,4 @@
 id: 7fbf7687-5ded-4c39-9fe9-f4f6aa6fc422
 name: Authentication failures by time and authentication type
 description: |
-  This query helps reviewing authentication failure count by authentication type. Update the authentication type below as DMARC, DKIM, SPM, CompAuth
-description-detailed: |
-  This query helps reviewing authentication failure detection count by authentication type in Defender for Office 365. Update the authentication type below as DMARC, DKIM, SPM, CompAuth to see different results.
-  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
-requiredDataConnectors:
-  - connectorId: MicrosoftThreatProtection
-    dataTypes:
-      - EmailEvents
-tactics:
-  - InitialAccess
-relevantTechniques:
-  - T1566
-query: |
-  EmailEvents
-  | where Timestamp > ago (30d)
-  | project Timestamp, AR=parse_json(AuthenticationDetails), NetworkMessageId, EmailDirection, SenderFromAddress, ThreatTypes, DetectionMethods
-  | evaluate bag_unpack(AR)
-  | where DMARC == "fail"
-  | summarize count() by bin(Timestamp, 1d)
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Authentication%20failures.yaml'
@@ -1,22 +1,4 @@
 id: 5971f2e7-1bb2-4170-aa7a-577ed8a45c72
 name: Spoof attempts with auth failure
 description: |
-  This query helps in checking for spoofing attempts on the domain with Authentication failures
-description-detailed: |
-  This query helps in checking for spoofing attempts on the domain with Authentication failures.
-  Reference - https://learn.microsoft.com/en-us/defender-office-365/anti-phishing-protection-spoofing-about
-requiredDataConnectors:
-  - connectorId: MicrosoftThreatProtection
-    dataTypes:
-      - EmailEvents
-tactics:
-  - InitialAccess
-relevantTechniques:
-  - T1566
-query: |
-  EmailEvents 
-  | where Timestamp > ago (1d) and DetectionMethods contains "spoof"  
-  | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames  
-  | evaluate bag_unpack(AR)  
-  | where SPF == "fail" or DMARC == "fail" or DKIM == "fail" or CompAuth == "fail"
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/Authentication/Spoof%20attempts%20with%20auth%20failure.yaml'
@@ -1,29 +1,4 @@
 id: ba1a91ad-1f99-4386-b191-06a76ef213f8
 name: Audit Email Preview-Download action
 description: |
-  This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
-description-detailed: |
-  This query helps report on who Previewed/Downloaded email messages using the Email entity page in Defender for Office 365
-  Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-email-entity-page#actions-on-the-email-entity-page
-requiredDataConnectors:
-- connectorId: MicrosoftThreatProtection
-  dataTypes:
-  - CloudAppEvents
-tactics:
-- PrivilegeEscalation
-relevantTechniques:
-  - T1078
-query: |
-  CloudAppEvents
-  | project Timestamp, ActionType, AccountDisplayName, AR=parse_json(RawEventData) 
-  | evaluate bag_unpack(AR)
-  | where RecordType == "38" and ExtendedProperties contains "DownloadEMail" or ExtendedProperties contains "GetMailPreviewUrl"
-  | serialize 
-  | extend RowNumber = row_number()
-  | mv-expand ExtendedProperties
-  | evaluate bag_unpack(ExtendedProperties, 'xp_')
-  | extend DownloadEMail = iff(tostring(xp_Name) == 'DownloadEMail', xp_Value, ''), GetMailPreviewUrl = iff(tostring(xp_Name) == 'GetMailPreviewUrl', xp_Value, ''), MailboxId = iff(tostring(xp_Name) == 'MailboxId', xp_Value, ''), InternetMessageId = iff(tostring(xp_Name) == 'InternetMessageId', xp_Value, '')
-  | summarize Timestamp = any(Timestamp), ActionType = any(ActionType), AccountDisplayName = any(AccountDisplayName),  DownloadEmail = make_set_if(DownloadEMail, isnotempty( DownloadEMail)), GetMailPreviewUrl = make_set_if(GetMailPreviewUrl, isnotempty( GetMailPreviewUrl)), MailboxId = make_set_if(MailboxId, isnotempty( MailboxId)), InternetMessageId = make_set_if(InternetMessageId, isnotempty( InternetMessageId)) by RowNumber
-  | extend DownloadEmail = tobool(DownloadEmail[0]), GetMailPreviewUrl = tobool(GetMailPreviewUrl[0]), MailboxId = tostring(MailboxId[0]), InternetMessageId = tostring(InternetMessageId[0])
-  | project-away RowNumber
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Audit%20Email%20Preview-Download%20action.yaml'
@@ -1,20 +1,4 @@
 id: bc2d8214-afb6-4876-b210-25b69325b9b2
 name: Hunt for TABL changes
 description: |
-  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
-description-detailed: |
-  This query helps hunting for Tenant allow/block list (TABL) changes in Defender for Office 365
-  Reference - https://learn.microsoft.com/en-us/defender-office-365/tenant-allow-block-list-about
-requiredDataConnectors:
-- connectorId: MicrosoftThreatProtection
-  dataTypes:
-  - CloudAppEvents
-tactics:
-  - DefenseEvasion
-relevantTechniques:
-  - T1562
-query: |
-  CloudAppEvents
-  | where ActionType contains "TenantAllowBlockListItems"
-  | order by Timestamp desc
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Hunt%20for%20TABL%20changes.yaml'
@@ -1,20 +1,4 @@
 id: 712ffdd8-ddce-4372-85dd-063029b418cf
 name: Local time to UTC time conversion
 description: |
-  Advanced Hunting has default timezone as UTC time. Filters in Advanced Hunting also work in UTC by default whereas query results are shown in local time if user has selected local time zone in security center settings.
-description-detailed: |
-  This is a sample query to convert local time to UTC time and can be used with any table. User needs to update the query with local time zone using the available options at https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/timezone
-requiredDataConnectors:
-  - connectorId: MicrosoftThreatProtection
-    dataTypes:
-      - EmailEvents
-tactics:
-  - InitialAccess
-relevantTechniques:
-  - T1566
-query: |
-  EmailEvents
-  | where Timestamp between (datetime_local_to_utc(datetime(2023-08-10T00:00:00Z),"Europe/Madrid") .. datetime_local_to_utc(datetime(2023-08-31T23:59:59Z),"Europe/Madrid"))
-  | where DeliveryAction == "Delivered"
-  | where LatestDeliveryLocation == "Quarantine"
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/Local%20time%20to%20UTC%20time%20conversion.yaml'
@@ -1,66 +1,4 @@
 id: deb4b2c6-c10e-4044-8cf4-84243e40db73
 name: MDO daily detection summary report
 description: |
-  This query helps report daily on total number of emails, total number of emails detected aby Defender for Office 365
-description-detailed: |
-  This query helps report daily on total number of emails, total number of emails detected as Malware, Phish, Spam, Bulk, total number of user or admin submissions, total number of ZAP events, total number of AIR investigations and their result
-  Reference - https://learn.microsoft.com/en-us/defender-office-365/mdo-about
-requiredDataConnectors:
-- connectorId: MicrosoftThreatProtection
-  dataTypes:
-  - CloudAppEvents
-  - AlertEvidence
-  - EmailEvents
-  - EmailPostDeliveryEvents
-tactics:
-  - InitialAccess
-relevantTechniques:
-  - T1566
-query: |
-  let QueryTime = 30d;
-  let Reports = CloudAppEvents 
-  | where Timestamp > ago(QueryTime)
-  | where ActionType == "UserSubmission" or ActionType == "AdminSubmission"
-  | extend MessageDate = todatetime((parse_json(RawEventData)).MessageDate)
-  | extend NetworkMessageID = tostring((parse_json(RawEventData)).ObjectId)
-  | extend Date_value = tostring(format_datetime( MessageDate, "yyyy-MM-dd"))
-  | distinct Date_value,NetworkMessageID
-  | summarize count() by Date_value
-  | project Date_value, MessagesGotReported=count_;
-  let ThreatByAutomation = (AlertEvidence | where Title == "Email reported by user as malware or phish")
-  | extend LastVerdictfromAutomation = tostring((parse_json(AdditionalFields)).LastVerdict)
-  | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
-  | extend DetectionFromAIR = iif(isempty(LastVerdictfromAutomation), "NoThreatsFound", tostring(LastVerdictfromAutomation))
-  | summarize PostDeliveryTotalAIRInvestigations = count(),
-           PostDeliveryAirNoThreatsFound = countif(DetectionFromAIR contains "NoThreatsFound"),
-           PostDeliveryAirSuspicious = countif(DetectionFromAIR contains "Suspicious"),
-           PostDeliveryAirMalicious = countif(DetectionFromAIR contains "Malicious")
-           by Date_value          //Date Reported from Message Submissions from CloudAppEvents does not match to the AIR Investigations from Alert playbooks
-  | project Date_value, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirSuspicious, PostDeliveryAirMalicious;
-  let DeliveryInboundEvents = (EmailEvents | where EmailDirection == "Inbound" and Timestamp > ago(QueryTime)
-  | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
-  | project Date_value, Timestamp, NetworkMessageId, DetectionMethods ,RecipientEmailAddress);
-  let PostDeliveryEvents = (EmailPostDeliveryEvents | where ActionType contains "ZAP" and ActionResult == "Success"| join DeliveryInboundEvents on RecipientEmailAddress, NetworkMessageId //Only successful ZAP Events, there could still be more, join on Recipient and NetID
-  | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd")) //Zap Timestamp is used and not MessageDate received
-  | summarize PostDeliveryZAP=count() by Date_value);
-  let DeliveryByThreat = (DeliveryInboundEvents
-  | where Timestamp > ago(QueryTime)
-  | extend Date_value = tostring(format_datetime( Timestamp, "yyyy-MM-dd"))
-  | extend MDO_detection = parse_json(DetectionMethods)
-  | extend FirstDetection = iif(isempty(MDO_detection), "Clean", tostring(bag_keys(MDO_detection)[0]))
-  | extend FirstSubcategory = iif(FirstDetection != "Clean" and array_length(MDO_detection[FirstDetection]) > 0, strcat(FirstDetection, ": ", tostring(MDO_detection[FirstDetection][0])), "No Detection (clean)"))
-  | summarize TotalEmails = count(),
-           Clean = countif(FirstSubcategory contains "Clean"),
-           Malware = countif(FirstSubcategory contains "Malware"),
-           Phish = countif(FirstSubcategory contains "Phish"),
-           Spam = countif(FirstSubcategory contains "Spam" and FirstSubcategory !contains "Bulk"),
-           Bulk = countif(FirstSubcategory contains "Bulk")                  
-           by Date_value;
-  DeliveryByThreat
-  | join kind=fullouter Reports on Date_value
-  | join kind=fullouter PostDeliveryEvents on Date_value
-  | join kind=fullouter ThreatByAutomation on Date_value
-  | sort by Date_value asc
-  | project Date_value, Clean, Malware, Phish, Spam, Bulk, MessagesGotReported, PostDeliveryZAP, PostDeliveryTotalAIRInvestigations, PostDeliveryAirNoThreatsFound, PostDeliveryAirMalicious, PostDeliveryAirSuspicious
-  | where isnotempty(Date_value) // As Reports from CloudAppEvents Submissions could contain messages submitted before 30 days it is good to remove all > 30 days, otherwise EMailEvents wouldn't have a date
-version: 1.0.0
+  'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDR/Hunting%20Queries/Email%20Queries/General/MDO%20daily%20detection%20summary%20report.yaml'