Azure · v-atulyadav · Aug 29, 2024 · Aug 8, 2024 · Aug 8, 2024 · Aug 13, 2024
@@ -0,0 +1,197 @@
+{
+  "Name": "EnrichedMicrosoft365AuditLogs",
+  "Properties": [
+    {
+      "Name": "TenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "datetime"
+    },
+    {
+      "Name": "Id",
+      "Type": "string"
+    },
+    {
+      "Name": "RecordType",
+      "Type": "int"
+    },
+    {
+      "Name": "Operation",
+      "Type": "string"
+    },
+    {
+      "Name": "OrganizationId",
+      "Type": "string"
+    },
+    {
+      "Name": "UserType",
+      "Type": "string"
+    },
+    {
+      "Name": "ActorUserType",
+      "Type": "string"
+    },
+    {
+      "Name": "UserKey",
+      "Type": "string"
+    },
+    {
+      "Name": "Workload",
+      "Type": "string"
+    },
+    {
+      "Name": "ResultStatus",
+      "Type": "string"
+    },
+    {
+      "Name": "ObjectId",
+      "Type": "string"
+    },
+    {
+      "Name": "UserId",
+      "Type": "string"
+    },
+    {
+      "Name": "ClientIp",
+      "Type": "string"
+    },
+    {
+      "Name": "UniqueTokenId",
+      "Type": "string"
+    },
+    {
+      "Name": "DeviceId",
+      "Type": "string"
+    },
+    {
+      "Name": "DeviceOperatingSystem",
+      "Type": "string"
+    },
+    {
+      "Name": "DeviceOperatingSystemVersion",
+      "Type": "string"
+    },
+    {
+      "Name": "SourceIp",
+      "Type": "string"
+    },
+    {
+      "Name": "AdditionalProperties",
+      "Type": "dynamic"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "string"
+    },
+    {
+      "Name": "Type",
+      "Type": "string"
+    },
+    {
+      "Name": "antId",
+      "Type": "string"
+    },
+    {
+      "Name": "Action",
+      "Type": "string"
+    },
+    {
+      "Name": "PolicyRuleId",
+      "Type": "string"
+    },
+    {
+      "Name": "PolicyId",
+      "Type": "string"
+    },
+    {
+      "Name": "SentBytes",
+      "Type": "long"
+    },
+    {
+      "Name": "ReceivedBytes",
+      "Type": "long"
+    },
+    {
+      "Name": "ReferrerHeader",
+      "Type": "string"
+    },
+    {
+      "Name": "OriginHeader",
+      "Type": "string"
+    },
+    {
+      "Name": "XForwardedFor",
+      "Type": "string"
+    },
+    {
+      "Name": "DestinationWebCategories",
+      "Type": "string"
+    },
+    {
+      "Name": "FilteringProfileId",
+      "Type": "string"
+    },
+    {
+      "Name": "FilteringProfileName",
+      "Type": "string"
+    },
+    {
+      "Name": "PolicyName",
+      "Type": "string"
+    },
+    {
+      "Name": "RuleName",
+      "Type": "string"
+    },
+    {
+      "Name": "InitiatingProcessName",
+      "Type": "string"
+    },
+    {
+      "Name": "ResourceTenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "ThreatType",
+      "Type": "string"
+    },
+    {
+      "Name": "DestinationUrl",
+      "Type": "string"
+    },
+    {
+      "Name": "Description",
+      "Type": "string"
+    },
+    {
+      "Name": "AppId",
+      "Type": "string"
+    },
+    {
+      "Name": "ConnectorId",
+      "Type": "string"
+    },
+    {
+      "Name": "ConnectorName",
+      "Type": "string"
+    },
+    {
+      "Name": "ConnectorIp",
+      "Type": "string"
+    },
+    {
+      "Name": "ConnectionStatus",
+      "Type": "string"
+    },
+    {
+      "Name": "AccessType",
+      "Type": "string"
+    },
+    {
+      "Name": "ProcessingRegion",
+      "Type": "string"
+    }
+  ]
+}
@@ -0,0 +1,61 @@
+{
+  "Name": "RemoteNetworkHealthLogs",
+  "Properties": [
+    {
+      "Name": "TenantId",
+      "Type": "string"
+    },
+    {
+      "Name": "TimeGenerated",
+      "Type": "datetime"
+    },
+    {
+      "Name": "CreatedDateTime",
+      "Type": "datetime"
+    },
+    {
+      "Name": "Id",
+      "Type": "string"
+    },
+    {
+      "Name": "RemoteNetworkId",
+      "Type": "string"
+    },
+    {
+      "Name": "SourceIp",
+      "Type": "string"
+    },
+    {
+      "Name": "DestinationIp",
+      "Type": "string"
+    },
+    {
+      "Name": "Description",
+      "Type": "string"
+    },
+    {
+      "Name": "BgpRoutesAdvertisedCount",
+      "Type": "int"
+    },
+    {
+      "Name": "SentBytes",
+      "Type": "long"
+    },
+    {
+      "Name": "ReceivedBytes",
+      "Type": "long"
+    },
+    {
+      "Name": "Status",
+      "Type": "string"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "string"
+    },
+    {
+      "Name": "Type",
+      "Type": "string"
+    }
+  ]
+}
@@ -0,0 +1,40 @@
+id: 4c9f0a9e-44d7-4c9b-b7f0-f6a6e0d8f8fa
+name: Detect Connections Outside Operational Hours
+description: This query identifies connections that occur outside of the defined operational hours. It helps in monitoring and flagging any unusual activity that may occur during non-business hours, indicating potential security concerns or policy violations.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - EnrichedMicrosoft365AuditLogs
+queryFrequency: 1h
+queryPeriod: 24h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+  - T1133
+query: |
+  let starttime = todatetime('{{StartTimeISO}}');
+  let endtime = todatetime('{{EndTimeISO}}');
+  let operational_start_hour = 8; // Start of operational hours (8 AM)
+  let operational_end_hour = 18; // End of operational hours (6 PM)
+  NetworkAccessTraffic
+  | where TimeGenerated between(starttime .. endtime)
+  | extend HourOfDay = datetime_part('hour', TimeGenerated)
+  | where HourOfDay < operational_start_hour or HourOfDay >= operational_end_hour
+  | project TimeGenerated, UserPrincipalName, SourceIp, DestinationIp, DestinationPort, Action, DeviceId, DeviceOperatingSystem, ConnectionId
+  | extend IPCustomEntity = SourceIp, AccountCustomEntity = UserPrincipalName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,47 @@
+id: 57abf863-1c1e-46c6-85b2-35370b712c1e
+name: Detect IP Address Changes and Overlapping Sessions
+description: |
+  This query identifies network sessions based on DeviceId and UserPrincipalName, then checks for changed IP addresses and overlapping session times.
+severity: High
+status: Available
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - EnrichedMicrosoft365AuditLogs
+queryFrequency: 1h
+queryPeriod: 24h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+  - T1133
+query: |
+  // Identify sessions
+  let sessions = 
+    NetworkAccessTraffic
+    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), SourceIps = make_set(SourceIp) by DeviceId, UserPrincipalName, SessionId
+    | sort by StartTime asc;
+  // Check for changed IP addresses and overlapping session times
+  sessions
+    | extend PreviousSourceIps = prev(SourceIps, 1)
+    | extend PreviousEndTime = prev(EndTime, 1)
+    | extend PreviousDeviceId = prev(DeviceId, 1)
+    | extend PreviousUserPrincipalName = prev(UserPrincipalName, 1)
+    | where DeviceId == PreviousDeviceId and UserPrincipalName == PreviousUserPrincipalName
+    | where set_difference(SourceIps, PreviousSourceIps) != dynamic([]) // Check if the current and previous IP sets differ
+    | where PreviousEndTime > StartTime // Check for overlapping session times
+    | project DeviceId, UserPrincipalName, SourceIps, PreviousSourceIps, StartTime, EndTime, PreviousEndTime
+    | extend IPCustomEntity = tostring(array_slice(SourceIps, 0, 1)[0]), PreviousIPCustomEntity = tostring(array_slice(PreviousSourceIps, 0, 1)[0]), AccountCustomEntity = UserPrincipalName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled