From ec16e021061fdd118a7f9b1e424b05bc206dbefc Mon Sep 17 00:00:00 2001
From: moti-ba <131643892+moti-ba@users.noreply.github.com>
Date: Sun, 29 Dec 2024 14:27:36 +0200
Subject: [PATCH] SWG file fixes and NetworkAccessAlerts table

---
 .../CustomTables/NetworkAccessAlerts.json     | 93 +++++++++++++++++++
 .../Identity - AfterHoursActivity.yaml        |  2 +-
 .../Identity - SharedSessions.yaml            | 62 -------------
 .../SWG - Abnormal Deny Rate.yaml             |  2 +-
 .../SWG - Abnormal Port to Protocol.yaml      |  2 +-
 .../SWG - Source IP Port Scan.yaml            |  2 +-
 6 files changed, 97 insertions(+), 66 deletions(-)
 create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json
 delete mode 100644 Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml

diff --git a/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json b/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json
new file mode 100644
index 00000000000..43f31e680dd
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/NetworkAccessAlerts.json
@@ -0,0 +1,93 @@
+{
+  "Name": "NetworkAccessAlerts",
+  
+    {
+      "Name": "TenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "datetime"
+    },
+    {
+      "Name": "Id",
+      "Type": "string"
+    },
+    {
+      "Name": "DisplayName",
+      "Type": "string"
+    },
+    {
+      "Name": "Severity",
+      "Type": "string"
+    },
+    {
+      "Name": "ComponentName",
+      "Type": "string"
+    },
+    {
+      "Name": "DetectionTechnology",
+      "Type": "string"
+    },
+    {
+      "Name": "AlertType",
+      "Type": "string"
+    },
+    {
+      "Name": "Description",
+      "Type": "string"
+    },
+    {
+      "Name": "ProductName",
+      "Type": "string"
+    },
+    {
+      "Name": "PolicyId",
+      "Type": "string"
+    },
+    {
+      "Name": "LastActivityDateTime",
+      "Type": "datetime"
+    },
+    {
+      "Name": "FirstActivityDateTime",
+      "Type": "datetime"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "string"
+    },
+    {
+      "Name": "Techniques",
+      "Type": "string"
+    },
+    {
+      "Name": "SubTechniques",
+      "Type": "string"
+    },
+    {
+      "Name": "ExtendedProperties",
+      "Type": "dynamic"
+    },
+    {
+      "Name": "RelatedResources",
+      "Type": "dynamic"
+    },
+    {
+      "Name": "IsPreview",
+      "Type": "bool"
+    },
+    {
+      "Name": "CreationDateTime",
+      "Type": "datetime"
+    },
+    {
+      "Name": "Type",
+      "Type": "string"
+    },
+    {
+      "Name": "VendorName",
+      "Type": "string"
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml
index 41d20c1937d..9d802d71f03 100644
--- a/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/Identity - AfterHoursActivity.yaml	
@@ -36,5 +36,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml b/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml
deleted file mode 100644
index b518991bcb6..00000000000
--- a/Solutions/Global Secure Access/Analytic Rules/Identity - SharedSessions.yaml	
+++ /dev/null
@@ -1,62 +0,0 @@
-id: 57abf863-1c1e-46c6-85b2-35370b712c1e
-name: GSA - Detect IP Address Changes and Overlapping Sessions
-description: |
-  This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.
-severity: High
-status: Available
-requiredDataConnectors:
-  - connectorId: AzureActiveDirectory
-    dataTypes:
-      - EnrichedMicrosoft365AuditLogs
-queryFrequency: 1h
-queryPeriod: 24h
-triggerOperator: gt
-triggerThreshold: 0
-tactics:
-  - InitialAccess
-relevantTechniques:
-  - T1078
-  - T1133
-query: |
-    // Identify sessions
-    let sessions = 
-      NetworkAccessTraffic
-      | summarize 
-          StartTime = min(TimeGenerated), 
-          EndTime = max(TimeGenerated), 
-          SourceIps = make_set(SourceIp) 
-        by DeviceId, UserPrincipalName, SessionId
-      | sort by StartTime asc;
-    // Check for changed IP addresses and overlapping session times
-    sessions
-      | extend PreviousSourceIps = prev(SourceIps, 1)
-      | extend PreviousEndTime = prev(EndTime, 1)
-      | extend PreviousDeviceId = prev(DeviceId, 1)
-      | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)
-      | where DeviceId == PreviousDeviceId 
-            and UserPrincipalName == PreviousUserPrincipalName
-      | where array_length(set_difference(SourceIps, PreviousSourceIps)) > 0 // Check if the current and previous IP sets differ
-      | where PreviousEndTime > StartTime // Check for overlapping session times
-      | project 
-          DeviceId, 
-          UserPrincipalName, 
-          SourceIps, 
-          PreviousSourceIps, 
-          StartTime, 
-          EndTime, 
-          PreviousEndTime
-      | extend 
-          IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), 
-          PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), 
-          AccountCustomEntity = UserPrincipalName
-entityMappings:
-  - entityType: Account
-    fieldMappings:
-      - identifier: Name
-        columnName: AccountCustomEntity
-  - entityType: IP
-    fieldMappings:
-      - identifier: Address
-        columnName: IPCustomEntity
-version: 1.0.2
-kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml
index 8cae3de7ca2..c801861d7e9 100644
--- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Deny Rate.yaml	
@@ -54,5 +54,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: DestinationIp
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml
index a195c01775c..ce384309e5c 100644
--- a/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Abnormal Port to Protocol.yaml	
@@ -50,5 +50,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: FqdnCustomEntity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml
index 9cb257bc4b7..4a72ca58554 100644
--- a/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml	
+++ b/Solutions/Global Secure Access/Analytic Rules/SWG - Source IP Port Scan.yaml	
@@ -37,5 +37,5 @@ entityMappings:
     fieldMappings:
       - identifier: Url
         columnName: DestinationFqdn
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled