Merge pull request #10749 from Azure/AddRelevantTechniques

Adding missing TI based relevant techniques to detections

Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_CustomSecurityLog.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
   let dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events
@@ -60,5 +62,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: CS_ipEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_DnsEvents.yaml

@@ -1,6 +1,6 @@
 id: ddf47b6f-870c-5712-a296-1383acb13c82
 name: GreyNoise TI Map IP Entity to DnsEvents
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
 description: |
   This query maps any IP indicators of compromise (IOCs) from GreyNoise Threat Intelligence (TI), by searching for matches in DnsEvents.
@@ -26,7 +26,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h; // Look back 1 hour for DNS events
   let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators

Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_OfficeActivity.yaml

@@ -1,6 +1,6 @@
 id: c51628fe-999c-5150-9fd7-660fc4f58ed2
 name: GreyNoise TI map IP entity to OfficeActivity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
 description: |
   This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.
@@ -26,7 +26,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events
   let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators

Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_SigninLogs.yaml

@@ -1,6 +1,6 @@
 id: f6c76cc9-218c-5b76-9b82-8607f09ea1b4
 name: GreyNoise TI Map IP Entity to SigninLogs
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
 description: |
   'This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs.'
@@ -29,7 +29,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;

Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_imNetworkSession.yaml

@@ -1,6 +1,6 @@
 id: 536e8e5c-ce0e-575e-bcc9-aba8e7bf9316
 name: GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
 description: |
   'This rule identifies a match Network Sessions for which the source or destination IP address is a known GreyNoise IoC.
@@ -75,7 +75,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CloudAppEvents.yaml

@@ -15,7 +15,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d; 
@@ -60,5 +62,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPAddress
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_CommonSecurityLog.yaml

@@ -18,7 +18,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h; // Look back 1 hour
   let ioc_lookBack = 14d; // Look back 14 days
@@ -69,5 +71,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: PA_Url
-version: 1.4.1
+version: 1.4.2
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DeviceNetworkEvents.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -68,5 +70,5 @@ entityMappings:
     fieldMappings:
       - identifier: CommandLine
         columnName: InitiatingProcessCommandLine
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_DnsEvents.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   // Define the lookback periods for time-based filters
   let dt_lookBack = 1h; // Look back 1 hour for DNS events
@@ -83,5 +85,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.4.2
+version: 1.4.3
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailEvents.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -53,5 +55,5 @@ entityMappings:
         columnName: Name
       - identifier: UPNSuffix
         columnName: UPNSuffix
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_EmailUrlInfo.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -74,5 +76,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_PaloAlto.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h;  // Duration to look back for recent logs (1 hour)
   let ioc_lookBack = 14d;  // Duration to look back for recent threat intelligence indicators (14 days)
@@ -90,5 +92,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: PA_Url
-version: 1.4.1
+version: 1.4.2
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_SecurityAlert.yaml

@@ -24,7 +24,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -73,5 +75,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.4.2
+version: 1.4.3
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_Syslog.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
   let dt_lookBack = 1h;  // Define the time range to look back for syslog data (1 hour)
   let ioc_lookBack = 14d;  // Define the time range to look back for threat intelligence indicators (14 days)
@@ -85,5 +87,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.4.2
+version: 1.4.3
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/DomainEntity_imWebSession.yaml

@@ -24,7 +24,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - CommandAndControl
+relevantTechniques:
+  - T1071
 query: |
     let HAS_ANY_MAX = 10000;
     let dt_lookBack = 1h;
@@ -71,5 +73,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: A web request from {{SrcIpAddr}} to hostname  {{domain}} matched an IoC
   alertDescriptionFormat: A client with address {{SrcIpAddr}} requested the URL {{Url}}, whose hostname is a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blade for more information on the indicator.
-version: 1.0.5
+version: 1.0.6
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/EmailEntity_AzureActivity.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -64,5 +66,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.6
+version: 1.2.7
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/EmailEntity_CloudAppEvents.yaml

@@ -15,7 +15,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let dt_lookBack = 10d;
   let ioc_lookBack = 30d;
@@ -45,5 +47,5 @@ entityMappings:
         columnName: User_Id
       - identifier: UPNSuffix
         columnName: UPNSuffix
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/EmailEntity_EmailEvents.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -52,5 +54,5 @@ entityMappings:
         columnName: Name
       - identifier: UPNSuffix
         columnName: UPNSuffix
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/EmailEntity_OfficeActivity.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -64,5 +66,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.6
+version: 1.2.7
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/EmailEntity_PaloAlto.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -61,5 +63,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.5
+version: 1.2.6
 kind: Scheduled

Solutions/Threat Intelligence/Analytic Rules/EmailEntity_SecurityAlert.yaml

@@ -21,7 +21,9 @@ queryPeriod: 14d
 triggerOperator: gt
 triggerThreshold: 0
 tactics:
-  - Impact
+  - InitialAccess
+relevantTechniques:
+  - T1566
 query: |
   let dt_lookBack = 1h;
   let ioc_lookBack = 14d;
@@ -69,5 +71,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: Url
-version: 1.2.7
+version: 1.2.8
 kind: Scheduled