diff --git a/docs/advisories/20240718003-Cisco-Security-Advisories.md b/docs/advisories/20240718003-Cisco-Security-Advisories.md index c5187db95..aeac6062e 100644 --- a/docs/advisories/20240718003-Cisco-Security-Advisories.md +++ b/docs/advisories/20240718003-Cisco-Security-Advisories.md @@ -6,18 +6,18 @@ The WA SOC has been made aware of a number of critical-to-medium vulnerabilites ## What is vulnerable? -| Product(s) Affected | Version(s) | CVE | CVSS | Severity | -| ----------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ------------------ | -| Cisco Smart Software Manager | Versions before 8-202212 | [CVE-2024-20419](https://nvd.nist.gov/vuln/detail/CVE-2024-20419) | 10 | **Critical** | -| Cisco Secure Email Gateway | The Content Scanner Tools version is earlier than 23.3.0.4823 | [CVE-2024-20401](https://nvd.nist.gov/vuln/detail/CVE-2024-20401) | 9.8 | **Critical** | -| Cisco Secure Web Appliance | Versions before 14.5.3 MR (Jul 2024), 15.0 MR (Aug 2024), and 15.2.0-164 | [CVE-2024-20435](https://nvd.nist.gov/vuln/detail/CVE-2024-20435) | 8.8 | High | -| RADIUS Protocol | RFC 2865 | [CVE-2024-3596](https://nvd.nist.gov/vuln/detail/CVE-2024-3596) | 8.1 | High | -| Cisco Intelligent Node | Cisco iNode Software versions before 4.0.0
Cisco iNode Manager Software versions before 24.1 | [CVE-2024-20323](https://nvd.nist.gov/vuln/detail/CVE-2024-20323) | 7.5 | High | -| Cisco Small Business RV Series Router Firmware for RV340 and RV345 Dual WAN Gigabit VPN Routers | 1.0.03.24 or later (has reached end-of-life) | [CVE-2024-20416](https://nvd.nist.gov/vuln/detail/CVE-2024-20416) | 6.5 | Medium | -| Cisco Secure Email Gateway | Versions before 14.2.3-027, and 15.0.0-097 | [CVE-2024-20429](https://nvd.nist.gov/vuln/detail/CVE-2024-20429) | 6.5 | Medium | -| Cisco Webex App | Cloud-based software | [ CVE-2024-20395](https://nvd.nist.gov/vuln/detail/CVE-2024-20395)
[CVE-2024-20396](https://nvd.nist.gov/vuln/detail/CVE-2024-20396) | 6.4
5.3 | Medium
Medium | -| Cisco Identity Services Engine Software | Versions before 3.1P10 (Jan 2025), 3.2P7 (Sep 2024), and 3.3P3 | [CVE-2024-20296](https://nvd.nist.gov/vuln/detail/CVE-2024-20296) | 4.7 | Medium | -| Cisco Expressway Series | Versions before 15.0.2 | [CVE-2024-20400](https://nvd.nist.gov/vuln/detail/CVE-2024-20400) | 3.1 | Medium | +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ----------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ------------- | ------------------ | +| Cisco Smart Software Manager | Versions before 8-202212 | [CVE-2024-20419](https://nvd.nist.gov/vuln/detail/CVE-2024-20419) | 10 | **Critical** | +| Cisco Secure Email Gateway | The Content Scanner Tools version is earlier than 23.3.0.4823 | [CVE-2024-20401](https://nvd.nist.gov/vuln/detail/CVE-2024-20401) | 9.8 | **Critical** | +| Cisco Secure Web Appliance | Versions before 14.5.3 MR (Jul 2024), 15.0 MR (Aug 2024), and 15.2.0-164 | [CVE-2024-20435](https://nvd.nist.gov/vuln/detail/CVE-2024-20435) | 8.8 | High | +| RADIUS Protocol | RFC 2865 | [CVE-2024-3596](https://nvd.nist.gov/vuln/detail/CVE-2024-3596) | 8.1 | High | +| Cisco Intelligent Node | Cisco iNode Software versions before 4.0.0
Cisco iNode Manager Software versions before 24.1 | [CVE-2024-20323](https://nvd.nist.gov/vuln/detail/CVE-2024-20323) | 7.5 | High | +| Cisco Small Business RV Series Router Firmware for RV340 and RV345 Dual WAN Gigabit VPN Routers | 1.0.03.24 or later (has reached end-of-life) | [CVE-2024-20416](https://nvd.nist.gov/vuln/detail/CVE-2024-20416) | 6.5 | Medium | +| Cisco Secure Email Gateway | Versions before 14.2.3-027, and 15.0.0-097 | [CVE-2024-20429](https://nvd.nist.gov/vuln/detail/CVE-2024-20429) | 6.5 | Medium | +| Cisco Webex App | Cloud-based software | [ CVE-2024-20395](https://nvd.nist.gov/vuln/detail/CVE-2024-20395)
[CVE-2024-20396](https://nvd.nist.gov/vuln/detail/CVE-2024-20396) | 6.4
5.3 | Medium
Medium | +| Cisco Identity Services Engine Software | Versions before 3.1P10 (Jan 2025), 3.2P7 (Sep 2024), and 3.3P3 | [CVE-2024-20296](https://nvd.nist.gov/vuln/detail/CVE-2024-20296) | 4.7 | Medium | +| Cisco Expressway Series | Versions before 15.0.2 | [CVE-2024-20400](https://nvd.nist.gov/vuln/detail/CVE-2024-20400) | 3.1 | Medium | ## What has been observed? diff --git a/docs/advisories/20240823001-SolarWinds-Releases-Critical-Update.md b/docs/advisories/20240823001-SolarWinds-Releases-Critical-Update.md new file mode 100644 index 000000000..42fb66157 --- /dev/null +++ b/docs/advisories/20240823001-SolarWinds-Releases-Critical-Update.md @@ -0,0 +1,25 @@ +# SolarWinds Releases Critical Update - 20240823001 + +## Overview + +The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------------ | --------------------------------------- | ----------------------------------------------------------------- | ---- | ------------ | +| SolarWinds Web Help Desk | **all versions before** 12.8.3 Hotfix 2 | [CVE-2024-28987](https://nvd.nist.gov/vuln/detail/CVE-2024-28987) | 9.1 | **Critical** | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 Hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- SolarWinds article: + +## Additional References + +- Cybersecurity News article: diff --git a/docs/advisories/20240823002-CISA-ICS-Advisories.md b/docs/advisories/20240823002-CISA-ICS-Advisories.md new file mode 100644 index 000000000..83d822fa8 --- /dev/null +++ b/docs/advisories/20240823002-CISA-ICS-Advisories.md @@ -0,0 +1,20 @@ +# CISA Releases New ICS Advisories - 20240823002 + +## Overview + +CISA has released multiple advisories for Industrial Control Systems (ICS) related vendors. + +## What is vulnerable? + +| Vendor | Advisory Link(s) | +| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Rockwell | [ICSA-24-235-01](https://www.cisa.gov/news-events/ics-advisories/icsa-24-235-01)
[ICSA-24-235-02](https://www.cisa.gov/news-events/ics-advisories/icsa-24-235-02) | +| MOBOTIX | [ICSA-24-235-03](https://www.cisa.gov/news-events/ics-advisories/icsa-24-235-03) | +| Avtec | [ICSA-24-235-04](https://www.cisa.gov/news-events/ics-advisories/icsa-24-235-04) | +| Mitsubishi Electric | [ICSA-20-282-02](https://www.cisa.gov/news-events/ics-advisories/icsa-20-282-02) | + +## Recommendation + +The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices. + +- CISA Advisory: diff --git a/docs/advisories/20240826001-Chromium-Vulnerability-Known-Exploitation.md b/docs/advisories/20240826001-Chromium-Vulnerability-Known-Exploitation.md new file mode 100644 index 000000000..ac1ec941f --- /dev/null +++ b/docs/advisories/20240826001-Chromium-Vulnerability-Known-Exploitation.md @@ -0,0 +1,22 @@ +# Chromium Vulnerability Known Exploitation - 20240826001 + +## Overview + +Google has released updates to address a Type confusion vulnerability in V8 in Chrome and chromium based browsers (e.g. Microsoft Edge) which could allow remote attacker(s) to exploit heap corruption via a crafted HTML page. The vulnerability is actively exploited in the wild. + +## What is vulnerable? + +| **Product(s) Affected** | **Version(s)** | **CVE #** | **CVSS v4/v3** | **Severity** | +| ----------------------- | ----------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | -------------- | ------------ | +| Microsoft Edge | prior to 128.0.2739.42 | [CVE-2024-7971](https://nvd.nist.gov/vuln/detail/CVE-2024-7971) | 8.8 | High | +| Google Chrome | prior to 128.0.6613.84 for Linux
prior to 128.0.6613.84 for Windows
prior to 128.0.6613.85 for Mac | [CVE-2024-7971](https://nvd.nist.gov/vuln/detail/CVE-2024-7971) | 8.8 | High | + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +## Additional References + +- Microsoft Security Response Center: +- Google Chrome Releases: +- The Hacker News: diff --git a/docs/advisories/20240826002-Progress-WhatsUp-Gold-Critical-Update.md b/docs/advisories/20240826002-Progress-WhatsUp-Gold-Critical-Update.md new file mode 100644 index 000000000..df9b4cec4 --- /dev/null +++ b/docs/advisories/20240826002-Progress-WhatsUp-Gold-Critical-Update.md @@ -0,0 +1,25 @@ +# Progress WhatsUp Gold Critical Update - 20240826002 + +## Overview + +The Progress WhatsUp Gold team has recently disclosed multiple critical vulnerabilities affecting all versions of the software released before 2024.0.0. These vulnerabilities, identified as CVE-2024-6670, CVE-2024-6671, and CVE-2024-6672, pose significant risks to organizations using outdated versions of the network monitoring tool. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | -------------------- | --------------------------------------------------- | --------------------- | -------------------------------------------- | +| Progress WhatsUp | **Gold \< 2024.0.0** | CVE-2024-6670
CVE-2024-6671
CVE-2024-6672 | 9.8
9.8
8.8 | **Critical**
**Critical**
**High** | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 Hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- Progress Community article: + +## Additional References + +- Cybersecurity News article: diff --git a/docs/advisories/20240827001-SonicWall-Critical-Update.md b/docs/advisories/20240827001-SonicWall-Critical-Update.md new file mode 100644 index 000000000..fb2c1096f --- /dev/null +++ b/docs/advisories/20240827001-SonicWall-Critical-Update.md @@ -0,0 +1,21 @@ +# SonicWall Publishes Critical Updates - 20240827001 + +## Overview + +SonicWall has published an advisory relating to critical updates affecting multiple products that, if successfully exploited, could grant malicious actors unauthorized access to the devices. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE # | CVSS v4/v3 | Severity | +| -------------------------- | -------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------- | -------- | +| SonicWall Firewall devices | - Gen5 \<= 5.9.2.14-12o
- Gen6 \<= 6.5.4.14-109n
- Gen7 \<= 7.0.1-5035 | [CVE-2024-40766](https://nvd.nist.gov/vuln/detail/CVE-2024-40766) | 9.3 | Critical | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- Sonicwall Security Advisory: diff --git a/docs/advisories/20240830001-CISA-Advisory-on-RansomHub-Ransomware.md b/docs/advisories/20240830001-CISA-Advisory-on-RansomHub-Ransomware.md new file mode 100644 index 000000000..151742c6f --- /dev/null +++ b/docs/advisories/20240830001-CISA-Advisory-on-RansomHub-Ransomware.md @@ -0,0 +1,21 @@ +# CISA Releases Joint Advisory on RansomHub Ransomware - 20240830001 + +## Overview + +The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) released joint Cybersecurity Advisory (CSA) [#StopRansomware: RansomHub Ransomware](https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a), detailing its indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). RansomHub, previously known as Cyclops and Knight, has become a successful ransomware-as-a-service model, attracting affiliates from other major variants like LockBit and ALPHV. + +## What has been observed? + +CISA added this vulnerabilty based on CVEs observed [Cybersecurity Alerts & Advisories](https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory_type%3A94) catalog on *August 28, 2024*. + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators perform a scan for the IOCs included and apply the mitigations as per CISA instructions. + +**Immediate action to take includes:** + +1. Secure and closely monitor Remote Desktop Protocol (RDP). +1. Maintain offline backups of data, and regularly maintain backup and restoration. +1. Enable and enforce phishing-resistant multifactor authentication (MFA). diff --git a/docs/advisories/20240903001-Zabbix-Code-Execution+Vulnerability.md b/docs/advisories/20240903001-Zabbix-Code-Execution+Vulnerability.md new file mode 100644 index 000000000..bb2fdbe49 --- /dev/null +++ b/docs/advisories/20240903001-Zabbix-Code-Execution+Vulnerability.md @@ -0,0 +1,22 @@ +# Zabbix Server Critical Vulnerability - 20240903001 + +## Overview + +The WA SOC has been made aware of vulnerability discovered in Zabbix Server that allows attackers with restrited administrative permissions to execute arbitrary code. +The flaw, identified in the Ping script execution within the Monitoring Hosts section, could compromise the infrastructure. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE # | CVSS v4/v3 | Severity | +| ------------------- | --------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---------- | -------- | +| Zabbix Server | Zabbix Server versions 6.4.0 to 6.4.15
Zabbix Server versions 7.0.0alpha1 to 7.0.0rc2
| [CVE-2024-22116](https://nvd.nist.gov/vuln/detail/CVE-2024-22116) | 9.9 | Critical | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- Zabbix Bugs and Issues: diff --git a/docs/advisories/20240903002-CISA-New-ICS-Advisories.md b/docs/advisories/20240903002-CISA-New-ICS-Advisories.md new file mode 100644 index 000000000..90d4ef2de --- /dev/null +++ b/docs/advisories/20240903002-CISA-New-ICS-Advisories.md @@ -0,0 +1,18 @@ +# CISA Releases New ICS Advisories - 20240903002 + +## Overview + +CISA has released multiple advisories for Industrial Control Systems (ICS) related vendors. + +## What is vulnerable? + +| Vendor | Advisory | +| ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Rockwell Automation | [ICSA-24-242-01](https://www.cisa.gov/news-events/ics-advisories/icsa-24-242-01)
[ICSA-24-226-06](https://www.cisa.gov/news-events/ics-advisories/icsa-24-226-06) | +| Delta Electronics | [ICSA-24-242-02](https://www.cisa.gov/news-events/ics-advisories/icsa-24-242-02) | + +## Recommendation + +The WA SOC recommends administrators review relevant advisories and apply the recommended actions to all affected devices. + +- CISA Advisory: diff --git a/docs/advisories/20240904001-Ivanti-Critical-Vulnerability-PoC-Published.md b/docs/advisories/20240904001-Ivanti-Critical-Vulnerability-PoC-Published.md new file mode 100644 index 000000000..cc5871527 --- /dev/null +++ b/docs/advisories/20240904001-Ivanti-Critical-Vulnerability-PoC-Published.md @@ -0,0 +1,22 @@ +# Ivanti Critical Vulnerability PoC Published - 20240904001 + +## Overview + +Ivanti released updates for Ivanti Virtual Traffic Manager (vTM) which addressed a critical vulnerability. Successful exploitation could lead to authentication bypass and creation of an administrator user. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE # | CVSS v4/v3 | Severity | +| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | ---------- | -------- | +| Ivanti Virtual Traffic Manager | 22.2 \< 22.2R1
22.3 \< 22.3R3
22.3R2 \< 22.3R3
22.5R1 \< 22.5R2
22.6R1 \< 22.6R2
22.7R1 \< 22.7R2 | [CVE-2024-7593](https://nvd.nist.gov/vuln/detail/CVE-2024-7593) | 9.8 | Critical | + +## What has been observed? + +Ivanti is not aware of any customers being exploited by this vulnerability at the time of disclosure, however a Proof of Concept is publicly available. +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- Vendor article: diff --git a/docs/advisories/20240904002-WinRAR-Active-Exploitation.md b/docs/advisories/20240904002-WinRAR-Active-Exploitation.md new file mode 100644 index 000000000..49d02bb49 --- /dev/null +++ b/docs/advisories/20240904002-WinRAR-Active-Exploitation.md @@ -0,0 +1,26 @@ +# WinRAR Vulnerability Active Exploitation - 20240904002 + +## Overview + +The WA SOC has been made aware of active exploitation in the wild against WinRAR products allowing an attacker to execute arbitrary code on the system via a specially prepared archive. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ----------------------------------------------------------------- | ---- | -------- | +| WinRAR | \< 6.23 | [CVE-2023-38831](https://nvd.nist.gov/vuln/detail/CVE-2023-38831) | 7.8 | High | + +## What has been observed? + +However, Proof of Concept (PoC) is made available, and there are reports of active exploitation in the wild. +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- Vendor page: + +## Additional References + +- TheHackerNews article: diff --git a/docs/guidelines/further-five.md b/docs/guidelines/further-five.md index 6a33f2c4c..d21f373cb 100644 --- a/docs/guidelines/further-five.md +++ b/docs/guidelines/further-five.md @@ -1,4 +1,4 @@ -# ACSC Strategies to Mitigate +# ACSC Strategies to Mitigate Cyber Security Incidents The below are all from [ACSC Strategies to Mitigate Cyber Security Incidents – Mitigation Details](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/strategies-mitigate-cyber-security-incidents/strategies-mitigate-cyber-security-incidents-mitigation-details). @@ -24,10 +24,10 @@ Server application hardening helps the organisation to conduct its business with OWASP guidance helps to mitigate web application security vulnerabilities such as SQL injection, and covers code review, data validation and sanitisation, user and session management, protection of data in transit and storage, error handling, user authentication, logging and auditing. !!! info - The ACSC has developed guidance for securing content management systems running on web servers, as part of the ACSC responding to cyber security incidents involving adversaries compromising internet-accessible web servers and using 'web shells' which can facilitate remote access, administration and pivoting to the organisation's internal systems. + Further guidance on server application hardening are available below. - - Further guidance on protecting web applications is available in the *[Protecting Web Applications and Users](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/web-hardening/protecting-web-applications-and-users "Protecting Web Applications and Users")* publication. - - Further guidance on securing content management systems is available in the *[Securing Content Management Systems](https://www.cyber.gov.au/resources-business-and-government/maintaining-devices-and-systems/system-hardening-and-administration/web-hardening/securing-content-management-systems "Securing Content Management Systems")* publication. + - Further guidance on system hardening is available in the *[Guidelines for System Hardening](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-system-hardening "Guidelines for System Hardening")* publication. + - Further guidance on protecting web applications and users is available in the *[Protecting Web Application and Users](https://www.cyber.gov.au/sites/default/files/2023-03/PROTECT%20-%20Protecting%20Web%20Applications%20and%20Users%20%28October%202021%29.pdf "Protecting Web Applications and Users")* publication. - Further guidance on secure software development is available in the *[Guidelines for Software Development](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/ism/cyber-security-guidelines/guidelines-software-development)* publication. ### Block spoofed emails diff --git a/docs/threat-activity.md b/docs/threat-activity.md index f23b76fdb..e08d12fb6 100644 --- a/docs/threat-activity.md +++ b/docs/threat-activity.md @@ -2,7 +2,7 @@ {{ date_index("docs/advisories", prefix="advisories/", expand=1, include=2) }} -## WA SOC - Recent Threat Activity (July 2024) +## WA SOC - Recent Threat Activity (August 2024) Based on recent high impact incidents seen by the WA SOC, security teams should be focusing on the below areas of improvement: @@ -10,10 +10,12 @@ Based on recent high impact incidents seen by the WA SOC, security teams should - The ACSC has released a coordinated advisory about the newly realised [APT40](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/apt40-advisory-prc-mss-tradecraft-in-action). - CISA has released a joint Cybersecurity Advisory titled ["North Korea State-Sponsored Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs"](https://www.cisa.gov/news-events/alerts/2024/07/25/fbi-cisa-and-partners-release-advisory-highlighting-north-korean-cyber-espionage-activity). +- The ACSC has observed activity of Threat Actors impersonating the ACSC [Email scammers impersonating the ASD's ACSC](https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/email-scammers-impersonating-asds-acsc) Recent WA SOC advisories this month worth staying across include: -- [ServiceNow Public Exploitation Campaigns](https://soc.cyber.wa.gov.au/advisories/20240726005-ServiceNow-Public-Exploitation-Campaigns/) +- [SolarWinds Releases Critical Update - 20240814002](https://soc.cyber.wa.gov.au/advisories/20240814002-SolarWinds-Releases-Critical-Update/) +- [SAP Releases Critical Updates - 20240814003](https://soc.cyber.wa.gov.au/advisories/20240814003-SAP-Releases-Critical-Updates/) Agencies should review the latest [WA Government Cyber Security Policy](https://www.wa.gov.au/government/publications/2024-wa-government-cyber-security-policy) diff --git a/utilities/guides/AD-Hoc-Threat-Hunting-Workbook.md b/utilities/guides/AD-Hoc-Threat-Hunting-Workbook.md new file mode 100644 index 000000000..0d17883a5 --- /dev/null +++ b/utilities/guides/AD-Hoc-Threat-Hunting-Workbook.md @@ -0,0 +1,23 @@ +# WASOC Workbook HOW TO Guide + +## Use of the Ad-Hoc Threat Hunting Workbook + +1. Select the Subscription, Workspace, and TimeRange parameters. These will apply across all the tabs and threat-hunting queries. + ![1](/utilities/screenshots/wrkbk-TH-1.png) +1. Select one of the three tabs to start with threat hunting. Queries will automatically run using the selected parameters from step 1. + - Threat Hunting Queries - A number of various queries to detect some of the most common attacks + - Open Source Thret Intelligence - Query that uses open source TI feeds to detect malicious activity + - Pivoting - Queries to pivot on activities from compromised assets to detect malicious + ![2](/utilities/screenshots/wrkbk-TH-2.png) +1. When performing the initial investigation under the pivoting tab, update the fields with compromised entities. The below queries will run automatically and show the results. + ![3](/utilities/screenshots/wrkbk-TH-3.png) +1. Adding additional queries can be done by copying existing queries and changing the query and the naming. + 1. Select 'Edit' on the whole workbook and click Edit from onj the specific group + ![4](/utilities/screenshots/wrkbk-TH-4.png) + 1. Clone one of the existing queries + ![5](/utilities/screenshots/wrkbk-TH-5.png) + 1. Under Settings tab, change the query with the new one + ![6](/utilities/screenshots/wrkbk-TH-6.png) + 1. Under 'Advanced Settings' tab, change the naming of the query. Ensure the parameters TimeRange and Workspace are as per the globally assigned parameters. + ![7](/utilities/screenshots/wrkbk-TH-7.png) +1. Save the workbook diff --git a/utilities/guides/gap-analysis-workbook-deployment.md b/utilities/guides/Gap-Analysis-Workbook.md similarity index 72% rename from utilities/guides/gap-analysis-workbook-deployment.md rename to utilities/guides/Gap-Analysis-Workbook.md index f99d47476..38c4e9b1f 100644 --- a/utilities/guides/gap-analysis-workbook-deployment.md +++ b/utilities/guides/Gap-Analysis-Workbook.md @@ -1,20 +1,5 @@ # WASOC Workbook HOW TO Guide -## How To Deploy The GAP Analysis Workbook With ARM Template - -1. From the [README.md](/utilities/tools/Gap-Analysis/README.md) page click on the **Deploy to Azure icon** - ![Deploy Gap Analysis to Azure](/utilities/screenshots/wrkbk-deploy.png) - -1. This will open the custom deployment window. Select the subscription, resource group and manually enter the **log analytics workspace name** where this workbook will be associated with. - ![Custom deployment](/utilities/screenshots/wrkbk-deploy2.png) - -1. In the next step, **Review+Create** check if the information provided is accurate and click **Create**. - ![Custom deployment](/utilities/screenshots/wrkbk-deploy3.png) - - If there are no errors, it will deploy the workbook and **'deployment succeeded'** notification will pop up. - -![Custom deployment](/utilities/screenshots/wrkbk-deploy4.png) - ## Use of the GAP Analysis Workbook 1. The **Data Visibility** tab illustrates the current visibility of data ingested into the Sentinel workspace. These tables are recommended for improved [detections](https://soc.cyber.wa.gov.au/baselines/data-sources/#5-detection-analytics) and [threat hunting](https://soc.cyber.wa.gov.au/guidelines/TTP_Hunt/ttp-detection-guidelines/#threat-hunting-guideline) activities. For more details, please refer to [Baseline for Detection Coverage (MITRE ATT&CK)](https://soc.cyber.wa.gov.au/baselines/data-sources/#baseline-for-detection-coverage-mitre-attck) and [Telemetry to collect (prioritised)](https://soc.cyber.wa.gov.au/onboarding/sentinel-guidance/?h=maturity+model#2-telemetry-to-collect-prioritised) guidelines. diff --git a/utilities/guides/Rapid-IOC-Workbook.md b/utilities/guides/Rapid-IOC-Workbook.md new file mode 100644 index 000000000..642f08254 --- /dev/null +++ b/utilities/guides/Rapid-IOC-Workbook.md @@ -0,0 +1,10 @@ +# WASOC Workbook HOW TO Guide + +## Use of the Rapid IOC Search Workbook + +1. Select the Subscription, Workspace, and TimeRange parameters. These will apply across all the tabs and IOC queries.\ + ![1](/utilities/screenshots/wrkbk-RI-1.png) +1. Select one of the 'IP, HASH, URL, or Email' tabs to start with the IOC threat hunting. Add the IOCs to a list (as per the example shown), within quotes, and separate them by a comma. The queries will automatically run using the selected parameters and the IOCs. + ![2](/utilities/screenshots/wrkbk-RI-2.png) +1. The results will show hits on the IOCs per table. These hits should be further investigated in the Log Explorer. + ![3](/utilities/screenshots/wrkbk-RI-3.png) diff --git a/utilities/guides/Workbook-Deployment.md b/utilities/guides/Workbook-Deployment.md new file mode 100644 index 000000000..7f0200c3d --- /dev/null +++ b/utilities/guides/Workbook-Deployment.md @@ -0,0 +1,12 @@ +# WASOC Workbook HOW TO Guide + +## How To Deploy a Workbook With ARM Template + +1. From the [README.md](/utilities/tools/Gap-Analysis/README.md) page click on the **Deploy to Azure icon** + ![Deploy Gap Analysis to Azure](/utilities/screenshots/wrkbk-deploy.png) +1. This will open the custom deployment window. Select the subscription, resource group and manually enter the **log analytics workspace name** where this workbook will be associated with. + ![Custom deployment](/utilities/screenshots/wrkbk-deploy2.png) +1. In the next step, **Review+Create** check if the information provided is accurate and click **Create**. + ![Custom deployment](/utilities/screenshots/wrkbk-deploy3.png) + If there are no errors, it will deploy the workbook and **'deployment succeeded'** notification will pop up. + ![Custom deployment](/utilities/screenshots/wrkbk-deploy4.png) diff --git a/utilities/screenshots/wrkbk-RI-1.png b/utilities/screenshots/wrkbk-RI-1.png new file mode 100644 index 000000000..cb8613a5a Binary files /dev/null and b/utilities/screenshots/wrkbk-RI-1.png differ diff --git a/utilities/screenshots/wrkbk-RI-2.png b/utilities/screenshots/wrkbk-RI-2.png new file mode 100644 index 000000000..93f2f10e0 Binary files /dev/null and b/utilities/screenshots/wrkbk-RI-2.png differ diff --git a/utilities/screenshots/wrkbk-RI-3.png b/utilities/screenshots/wrkbk-RI-3.png new file mode 100644 index 000000000..4f0168fa3 Binary files /dev/null and b/utilities/screenshots/wrkbk-RI-3.png differ diff --git a/utilities/screenshots/wrkbk-TH-1.png b/utilities/screenshots/wrkbk-TH-1.png new file mode 100644 index 000000000..0a18a2136 Binary files /dev/null and b/utilities/screenshots/wrkbk-TH-1.png differ diff --git a/utilities/screenshots/wrkbk-TH-2.png b/utilities/screenshots/wrkbk-TH-2.png new file mode 100644 index 000000000..206816b5e Binary files /dev/null and b/utilities/screenshots/wrkbk-TH-2.png differ diff --git a/utilities/screenshots/wrkbk-TH-3.png b/utilities/screenshots/wrkbk-TH-3.png new file mode 100644 index 000000000..6006a3f9a Binary files /dev/null and b/utilities/screenshots/wrkbk-TH-3.png differ diff --git a/utilities/screenshots/wrkbk-TH-4.png b/utilities/screenshots/wrkbk-TH-4.png new file mode 100644 index 000000000..763358f66 Binary files /dev/null and b/utilities/screenshots/wrkbk-TH-4.png differ diff --git a/utilities/screenshots/wrkbk-TH-5.png b/utilities/screenshots/wrkbk-TH-5.png new file mode 100644 index 000000000..1a10a3d05 Binary files /dev/null and b/utilities/screenshots/wrkbk-TH-5.png differ diff --git a/utilities/screenshots/wrkbk-TH-6.png b/utilities/screenshots/wrkbk-TH-6.png new file mode 100644 index 000000000..b69964faa Binary files /dev/null and b/utilities/screenshots/wrkbk-TH-6.png differ diff --git a/utilities/screenshots/wrkbk-TH-7.png b/utilities/screenshots/wrkbk-TH-7.png new file mode 100644 index 000000000..0c8d9a256 Binary files /dev/null and b/utilities/screenshots/wrkbk-TH-7.png differ diff --git a/utilities/tools/AD-Hoc-Threat-Hunting-Activities-WASOCv1.0.json b/utilities/tools/AD-Hoc-Threat-Hunting-Activities-WASOCv1.0.json new file mode 100644 index 000000000..55d0cde60 --- /dev/null +++ b/utilities/tools/AD-Hoc-Threat-Hunting-Activities-WASOCv1.0.json @@ -0,0 +1,61 @@ +{ + "contentVersion": "1.0.0.0", + "parameters": { + "workbookDisplayName": { + "type": "string", + "defaultValue": "AD-Hoc Threat hunting activities", + "metadata": { + "description": "The friendly name for the workbook that is used in the Gallery or Saved List. This name must be unique within a resource group." + } + }, + "workbookType": { + "type": "string", + "defaultValue": "sentinel", + "metadata": { + "description": "The gallery that the workbook will been shown under. Supported values include workbook, tsg, etc. Usually, this is 'workbook'" + } + }, + "WorkspaceName": { + "type": "string", + "defaultValue": "", + "minLength": 1, + "metadata": { + "description": "The name of the Log Analytics workspace to which this workbook will be associated" + } + }, + "workbookId": { + "type": "string", + "defaultValue": "[newGuid()]", + "metadata": { + "description": "The unique guid for this workbook instance" + } + } + }, +"variables": { + "workbookSourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('WorkspaceName'))]" + }, + "resources": [ + { + "name": "[parameters('workbookId')]", + "type": "microsoft.insights/workbooks", + "location": "[resourceGroup().location]", + "apiVersion": "2022-04-01", + "dependsOn": [], + "kind": "shared", + "properties": { + "displayName": "[parameters('workbookDisplayName')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"c3cc19f5-463e-47ba-b039-252c47f29611\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Threat Hunting Queries\",\"subTarget\":\"TH ADS\",\"style\":\"link\"},{\"id\":\"2b992c40-7e9a-419b-b739-13ce441cd0fc\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Open Source TI Detections\",\"subTarget\":\"TI\",\"style\":\"link\"},{\"id\":\"fce23985-f887-4dd2-9f50-8f37f8277e37\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Pivoting\",\"subTarget\":\"piv\",\"style\":\"link\"}]},\"name\":\"links - 10\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Subscription}\"],\"parameters\":[{\"id\":\"04951277-d010-499c-8e9c-1967c08836b2\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Resources\\n| summarize Count = count() by subscriptionId\\n| order by Count desc\\n| extend Rank = row_number()\\n| project value = subscriptionId, label = subscriptionId, selected = Rank == 1\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":14400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[]},{\"id\":\"55ecfb10-706e-4b16-8b59-7f6107cd5975\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains 'SecurityInsights' | project id = tostring(properties.workspaceResourceId)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":14400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},{\"id\":\"85c3e11e-0568-4c21-8c6f-668f10b85231\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"timeContext\":{\"durationMs\":14400000},\"value\":{\"durationMs\":2592000000}},{\"id\":\"62a3e14a-aca9-4f74-8816-51d91b09ed84\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Instructions\",\"label\":\"Show Instructions\",\"type\":10,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n { \\\"value\\\":\\\"Hide\\\", \\\"label\\\":\\\"Hide\\\",\\\"selected\\\":true},\\n { \\\"value\\\":\\\"Show\\\", \\\"label\\\":\\\"Show\\\" }\\n]\\n\",\"timeContext\":{\"durationMs\":14400000}}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"This workbook includes a range of threat hunting queries to help execute Threat Hunts. \\n\\nThe workbook covers three segments: \\n- Threat Hunting Queries - A number of various queries to detect some of the most common attacks \\n- Open Source Thret Intelligence - Query that uses open source TI feeds to detect malicious activity \\n- Pivoting - Queries to pivot on activities from compromised assets to detect malicious \\n

\\nPlease feel free to adapt the content of this workbook to meet the needs of the Agency. For any assistance regarding this workbook contact WA SOC on cybersecurity@dpc.wa.gov.au\\n

\\nv1.0 August 2024 \\n\\n---\\n## Instructions:\\n1. Select Subscription and Workspace\\n2. Define Time Range of the hunting activity \\n3. Queries will run automatically when changes occur \\n\\nFor more Threat Hunting details refer to the [Threat Hunting Guideline](https://soc.cyber.wa.gov.au/guidelines/TTP_Hunt/ttp-detection-guidelines/) or contact WA SOC on cybersecurity@dpc.wa.gov.au\\n

\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Instructions\",\"comparison\":\"isEqualTo\",\"value\":\"Show\"},\"name\":\"text - 12\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Initial Access https://attack.mitre.org/tactics/TA0001/\",\"style\":\"success\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let clientThreshold = 1;\\n let scriptExtensions = dynamic([\\\".php\\\", \\\".aspx\\\", \\\".asp\\\", \\\".cfml\\\"]);\\n let data = W3CIISLog\\n | where csUriStem has_any(scriptExtensions)\\n |where scStatus == 200\\n |where ipv4_is_private(cIP) == false and cIP !startswith \\\"fe80\\\" and cIP !startswith \\\"::\\\" and cIP !startswith \\\"127.\\\"\\n |where ipv4_is_private(sIP) == false \\n | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), makelist(cIP), dcount(TimeGenerated) by csUriStem, sSiteName, csUserAgent;\\n data\\n | mvexpand list_cIP\\n | distinct StartTime, EndTime, tostring(list_cIP), csUriStem, sSiteName, csUserAgent\\n | summarize StartTime = min(StartTime), EndTime = max(StartTime), dcount(list_cIP), makelist(list_cIP), makelist(sSiteName) by csUriStem, csUserAgent\\n | where dcount_list_cIP == clientThreshold \\n | where csUserAgent startswith \\\"Mozilla\\\"\\n | extend timestamp = StartTime, UserAgentCustomEntity = csUserAgent \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1190 WebshellsSuspiciousURI\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1= dynamic([\\\"pcapp.store\\\"]);\\r\\nunion Device*\\r\\n| where RemoteUrl has_any (c1) or InitiatingProcessFolderPath contains \\\"pcappstore\\\"\",\"size\":4,\"showAnalytics\":true,\"title\":\"TA0001 - PcAppStore - Potential malware installed\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_filetype=dynamic([\\\"png\\\",\\\"gif\\\",\\\"jpeg\\\",\\\"jpg\\\"]);\\r\\nlet selection_subject=dynamic([\\\"2FA\\\",\\\"Action\\\",\\\"payroll\\\",\\\"MFA\\\"]); //add other potential subjects\\r\\nlet filter_domain=dynamic([\\\"microsoft.com\\\",\\\"sharepointonline.com\\\"]); //add agency specific filter\\r\\nlet lookback = 3d;\\r\\nEmailEvents\\r\\n| where TimeGenerated > ago(lookback)\\r\\n| summarize arg_min(TimeGenerated,*) by NetworkMessageId, RecipientEmailAddress, TenantId\\r\\n| where EmailDirection == 'Inbound'\\r\\n| where DeliveryAction == 'Delivered'\\r\\n| where SenderMailFromDomain !contains \\\"wa.gov.au\\\"\\r\\n| extend username_ = tostring(split(RecipientEmailAddress, \\\"@\\\")[0])\\r\\n| extend domain_ = tostring(split(RecipientEmailAddress, \\\"@\\\")[1])\\r\\n| extend domain_name_ = tostring(split(domain_, \\\".\\\")[0])\\r\\n| where Subject contains username_ or Subject contains domain_ or Subject contains domain_name_ or Subject has_any (selection_subject)\\r\\n| where not(SenderMailFromDomain has_any (filter_domain))\\r\\n| join \\r\\n(\\r\\nEmailAttachmentInfo\\r\\n| where TimeGenerated > ago(lookback)\\r\\n| where FileType has_any (selection_filetype)\\r\\n| where FileName matches regex \\\"^[A-Za-z0-9]{7,10}\\\\\\\\.[A-Za-z0-9]+$\\\" //tweak here to change potential qr code filename convention changes\\r\\n| where FileName !startswith \\\"image\\\" and FileName !startswith \\\"ATT00\\\" //ignore lists for known attachment false positive\\r\\n) on NetworkMessageId\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1566.001 - QR Code Phishing Attachment (Quishing)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n| where FileName matches regex @\\\"Edge\\\\\\\\.[a-z0-9]{6}\\\\\\\\.zip\\\" or FileName matches regex @\\\"Chrome\\\\\\\\.Update\\\\\\\\.[a-z0-9]{6}\\\\\\\\.zip\\\" or FileName matches regex @\\\"FireFox\\\\\\\\.Update\\\\\\\\.[a-z0-9]{6}\\\\\\\\.zip\\\" or FileName matches regex @\\\"download\\\\\\\\.[a-z0-9]{6}\\\\\\\\.zip\\\"\\r\\n| where InitiatingProcessFileName <> \\\"MsSense.exe\\\" //Exclude files detected by Defender for Endpoint\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1189 - Drive-by Compromise - FakeUpdate\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2 \"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 7 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Execution https://attack.mitre.org/tactics/TA0002/\",\"style\":\"success\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_main = dynamic(['wmic.exe','powershell.exe','cmd.exe','ntdsutil.exe']);\\r\\nlet selection_wmic = dynamic([\\\"wmic\\\", \\\"process\\\", \\\"create\\\"]); //not used\\r\\nlet selection_command = dynamic(['ntdsutil','ntds','ac','i','ifm']);\\r\\nunion isfuzzy=true\\r\\n(DeviceProcessEvents\\r\\n| where FolderPath has_any(selection_main)\\r\\n| where ProcessCommandLine has_all (selection_command) or InitiatingProcessCommandLine has_all (selection_command)\\r\\n),\\r\\n(SecurityEvent\\r\\n| where EventID == 4688\\r\\n| where CommandLine has_all (selection_command)\\r\\n)\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1047 - WMIC Commands\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1= dynamic(['.zip','.js']); \\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or\\r\\nCommandLine has_all (c1) \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1059.007 - GootLoader: JavaScript Execution\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([@\\\"\\\\scilc.exe\\\", \\\"-do\\\"]);\\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1059 - MicroSCADA SCILC Command Execution\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"T1059 - MicroSCADA SCILC Command Execution\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 7 - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Persistence https://attack.mitre.org/tactics/TA0003/\",\"style\":\"success\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1= dynamic(['reg',' ADD', @'Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run']); \\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1547.001 - Potential Persistence Attempt Via Run Keys Using Reg.EXE\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let ExtensionList = pack_array('asp','aspx','aar','ascx','ashx','asmx','c','cfm','cgi','jsp','jspx','php','pl','exe','jsp','jar','py','ps1','psm1','cmd','psd1','java','wsf','vbs');\\r\\nlet IncludeTemp = false; // whether to include files that contain \\\\temp\\\\ in their path\\r\\nDeviceFileEvents\\r\\n| where ActionType in ('FileCreated', 'FileRenamed', 'FileModified')\\r\\n| where InitiatingProcessFileName in~('w3wp.exe','httpd.exe') \\r\\n| where FolderPath contains @'\\\\inetpub\\\\wwwroot\\\\'\\r\\n| where (IncludeTemp or FolderPath !contains @'\\\\temp\\\\')\\r\\n| extend extension = tolower(tostring(split(FileName,'.')[-1]))\\r\\n| where extension in (ExtensionList) \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1505.003 - IIS webshell file writes\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_general = @\\\".*(/httpd|/lighttpd|/nginx|/apache2|/node|/caddy)$\\\";\\r\\nlet selection_tomcat = dynamic(['/bin/java','tomcat']);\\r\\nlet selection_websphere = dynamic(['/bin/java','websphere']);\\r\\nlet sub_processes= @\\\"/(whoami|ifconfig|ip|bin/uname|bin/cat|bin/crontab|hostname|iptables|netstat|pwd|route)$\\\";\\r\\nDeviceProcessEvents\\r\\n| where TimeGenerated > ago(30d)\\r\\n| where InitiatingProcessFolderPath matches regex selection_general or InitiatingProcessCommandLine has_all (selection_tomcat) or InitiatingProcessCommandLine has_all (selection_websphere)\\r\\n| where FolderPath matches regex sub_processes\\r\\n//| summarize count(), earliest_time=min(TimeGenerated), set_DeviceName=make_set(DeviceName) by TenantId, InitiatingProcessFolderPath,InitiatingProcessCommandLine, FolderPath, ProcessCommandLine, SHA256\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1505.003 - Linux Webshell Indicators\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let cs_uri_query=dynamic(['=C:/Users', '=C:/Program%20Files', '=C:/Windows', '=C%3A%5CUsers', '=C%3A%5CProgram%20Files', '=C%3A%5CWindows']);\\r\\nAzureDiagnostics \\r\\n//| where action_s == \\\"Allowed\\\" // filter to minimise noise\\r\\n| where requestUri_s has_any (cs_uri_query)\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1505.003 - Suspicious Windows Strings In URI\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_wwwroot = @\\\"\\\\inetpub\\\\wwwroot\\\\\\\";\\r\\nlet selection_ext1 = dynamic(['.asp','.ashx','.ph']);\\r\\nlet selection_static = dynamic([\\\"\\\\\\\\www\\\\\\\\\\\", \\\"\\\\\\\\htdocs\\\\\\\\\\\", \\\"\\\\\\\\html\\\\\\\\\\\"]);\\r\\nlet selection_ext2 = \\\".ph\\\";\\r\\nlet false_positive1 = dynamic(['\\\\\\\\AppData\\\\\\\\Local\\\\\\\\Temp\\\\\\\\', '\\\\\\\\Windows\\\\\\\\Temp\\\\\\\\']); //false positives when unpacking some executables in $TEMP\\r\\nlet false_positive_system = \\\"System\\\"; //backup or restore from drivers\\r\\nlet false_positive_legitimate = dynamic([\\\"\\\\\\\\xampp\\\",\\\"\\\\\\\\QGIS\\\"]);\\r\\nDeviceFileEvents //SOC-748162\\r\\n| where ActionType == \\\"FileCreated\\\" //Modification to filter only file creation\\r\\n| where (FolderPath contains selection_wwwroot and FolderPath has_any (selection_ext1)) or (FolderPath has_any (selection_static) and FolderPath endswith selection_ext2)\\r\\n| where not(FolderPath has_any (false_positive1) or InitiatingProcessFolderPath == false_positive_system or FolderPath has_any (false_positive_legitimate))\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1505.003 - Windows Webshell Creation\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceProcessEvents\\r\\n| where InitiatingProcessFolderPath endswith '\\\\\\\\sqlservr.exe' and FolderPath matches regex @\\\".*(bash.exe|bitsadmin.exe|cmd.exe|netstat.exe|nltest.exe|ping.exe|powershell.exe|pwsh.exe|regsvr32.exe|rundll32.exe|sh.exe|systeminfo.exe|tasklist.exe|wsl.exe)$\\\"\\r\\n| where InitiatingProcessFolderPath !startswith \\\"C:\\\\\\\\Program Files\\\\\\\\Microsoft SQL Server\\\\\\\\\\\"\\r\\n| where InitiatingProcessFolderPath !endswith \\\"DATEV_DBENGINE\\\\\\\\MSSQL\\\\\\\\Binn\\\\\\\\sqlservr.exe\\\"\\r\\n| where FolderPath !contains 'C:\\\\\\\\Windows\\\\\\\\System32\\\\\\\\cmd.exe'\\r\\n| where ProcessCommandLine !startswith \\\"C:\\\\\\\\Windows\\\\\\\\system32\\\\\\\\cmd.exe\\\"\\r\\n| where ProcessCommandLine !startswith \\\"C:\\\\\\\\Windows\\\\\\\\SysWOW64\\\\\\\\cmd.exe\\\"\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1505.003 - Suspicious Child Process Of SQL Server\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_1 = dynamic(['.exe','ADMIN$']); \\r\\nlet selection_2 = dynamic(['powershell','start','%COMSPEC%']); \\r\\nDeviceRegistryEvents\\r\\n| where ActionType == \\\"RegistryValueSet\\\"\\r\\n| where RegistryKey has_any (@'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet001\\\\Services', @'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\ControlSet002\\\\Services', @'HKEY_LOCAL_MACHINE\\\\SYSTEM\\\\CurrentControlSet\\\\Services') \\r\\n| where RegistryValueData has_all (selection_1) or RegistryValueData has_all (selection_2)\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1543.003 - CobaltStrike: Service Installations in Registry\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceProcessEvents\\r\\n| where ProcessCommandLine has_all ('New-Service','-BinaryPathName')\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1543.003 - New Service Creation Using PowerShell\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 - Copy - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection=dynamic(['AmmyyAdmin','Atera','BASupportExpressSrvcUpdater','BASupportExpressStandaloneService','chromoting', 'GoToAssist','GoToMyPC','jumpcloud','LMIGuardianSvc','LogMeIn','monblanking','Parsec','RManService','RPCPerformanceService','RPCService','SplashtopRemoteService','SSUService','TightVNC','vncserver','Zoho']);\\r\\nunion \\r\\n(\\r\\nSecurityEvent\\r\\n| where EventID == 4697\\r\\n| where ServiceFileName has_any (selection)\\r\\n| extend TableName_ = \\\"SecurityEvent\\\"\\r\\n| summarize count(), set_Tables=make_set(TableName_) by FileName=ServiceFileName, TenantId\\r\\n),\\r\\n(\\r\\nunion withsource=TableName_ Device*\\r\\n| where FileName has_any (selection)\\r\\n| where FileName endswith \\\".exe\\\"\\r\\n| summarize count(), set_Tables=make_set(TableName_) by FileName, TenantId\\r\\n)\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1543.003 - Create or Modify System Process - Remote Access Tool Services Have Been Installed\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"T1543.003 - Create or Modify System Process - Remote Access Tool Services Have Been Installed\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_sc_1 = dynamic(['sc','config ','binpath=']); \\r\\nlet selection_sc_2 = dynamic(['sc','failure','command=']); \\r\\nDeviceProcessEvents\\r\\n| where ActionType == \\\"ProcessCreated\\\"\\r\\n| where InitiatingProcessParentFileName <> \\\"msiexec.exe\\\"\\r\\n| where FolderPath endswith \\\"sc.exe\\\"\\r\\n| where (ProcessCommandLine has_all (selection_sc_1) or ProcessCommandLine has_all (selection_sc_2))\\r\\n| summarize count(), earliest_Timestamp=min(TimeGenerated) by AccountDomain, AccountName, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, ProcessCommandLine, TenantId\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1543.003 - Potential Persistence Attempt Via Existing Service Tampering (sc.exe)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"T1543.003 - Potential Persistence Attempt Via Existing Service Tampering (sc.exe)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_reg_img1 = dynamic(['reg ','add ','FailureCommand']); \\r\\nlet selection_reg_img2 = dynamic(['reg ','add ','ImagePath']); \\r\\nlet selection_reg_ext = dynamic(['.sh', '.exe','.dll','.bin$','.bat','.cmd','.js','.msh$','.reg$','.scr','.ps','.vb','.jar','.pl']); \\r\\nDeviceProcessEvents\\r\\n| where (ProcessCommandLine has_all (selection_reg_img1) and ProcessCommandLine has_all (selection_reg_img2) and ProcessCommandLine has_any (selection_reg_ext))\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1543.003 - Potential Persistence Attempt Via Existing Service Tampering (reg.exe)\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"T1543.003 - Potential Persistence Attempt Via Existing Service Tampering (reg.exe)\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_cli_3 = dynamic(['gacutil','/I']);\\r\\nDeviceProcessEvents\\r\\n| where InitiatingProcessFolderPath endswith \\\"\\\\\\\\w3wp.exe\\\"\\r\\n| where ProcessCommandLine has \\\"appcmd.exe add module\\\" or\\r\\n (ProcessCommandLine has \\\"system.enterpriseservices.internal.publish\\\" and FolderPath endswith \\\"\\\\\\\\powershell.exe\\\") or\\r\\n (ProcessCommandLine has_all (selection_cli_3))\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1505.004 - Suspicious IIS Module Registration\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"T1505.004 - Suspicious IIS Module Registration\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID == 4697 \\r\\n| where AccountType != 'Machine'\\r\\n| project ServiceName, ServiceFileName,Account, Computer,TimeGenerated\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1543.003 - Windows Service - install services on the device \",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"4\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 7 - Copy - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Defense Evasion https://attack.mitre.org/tactics/TA0005/\",\"style\":\"success\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = 'powershell.exe'; \\r\\n let c2 = dynamic(['-version 2', '-v 2']);\\r\\n find where (InitiatingProcessFileName == c1 and InitiatingProcessCommandLine has_any (c2)) or \\r\\n (Process == c1 and CommandLine has_any (c2)) \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1562.001 - Impair Defenses: Disable or Modify Tools - PowerShell Downgrade attack\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let exclusion_defender= dynamic([@'c:\\\\programdata\\\\microsoft\\\\windows defender',@'c:\\\\program files\\\\windows defender']); //Exclude activities from Microsoft Defender itself\\r\\nDeviceRegistryEvents\\r\\n| where ActionType == \\\"RegistryKeyDeleted\\\"\\r\\n| where not(InitiatingProcessFolderPath has_any(exclusion_defender) and InitiatingProcessFileName == \\\"msmpeng.exe\\\") and (PreviousRegistryKey endswith '{2781761E-28E0-4109-99FE-B9D127C57AFE}' or PreviousRegistryKey endswith '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}')\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1562.001 - Impair Defenses: Removal Of AMSI Provider Registry Keys\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"T1562.001 - Impair Defenses: Removal Of AMSI Provider Registry Keys\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic(['Assembly.GetType','SetValue']); \\r\\nfind where InitiatingProcessCommandLine has_all (c1) or CommandLine has_all (c1) \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1562.001 - Impair Defenses: Disable or Modify Tools - AMSI Bypass attack\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic(['Set-MpPreference', 'Add-MpPreference']);\\r\\n let c2 = dynamic([' -ExclusionPath ', ' -ExclusionExtension ', ' -ExclusionProcess ', ' -ExclusionIpAddress ', 'DisableRealtimeMonitoring ', 'DisableIOAVProtection ', 'DisableBehaviorMonitoring ', 'DisableBlockAtFirstSeen ']); \\r\\n find where (InitiatingProcessCommandLine has_any (c1) or CommandLine has_any (c1)) and \\r\\n (InitiatingProcessCommandLine has_any (c2) or CommandLine has_any (c2)) \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1562.001 - Impair Defenses: Disable or Modify Tools - Defender Disabling or Exclusions\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_main = dynamic([@'\\\\SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\', @'\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender Security Center\\\\',@'\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender\\\\']); \\r\\nlet selection_dword_1 = dynamic(['DisableAntiSpyware','DisableAntiVirus', 'DisableBehaviorMonitoring','DisableIntrusionPreventionSystem', 'DisableIOAVProtection', 'DisableOnAccessProtection','DisableRealtimeMonitoring','DisableScanOnRealtimeEnable','DisableScriptScanning','DisableEnhancedNotifications', 'DisableBlockAtFirstSeen']); \\r\\nlet selection_dword_0 = dynamic(['DisallowExploitProtectionOverride', 'TamperProtection', 'MpEnablePus', 'PUAProtection', 'ForceUpdateFromMU', 'SpynetReporting', 'SubmitSamplesConsent','EnableControlledFolderAccess']); \\r\\nlet exclusion_defender= dynamic([@'c:\\\\programdata\\\\microsoft\\\\windows defender',@'c:\\\\program files\\\\windows defender']); //Exclude activities from Microsoft Defender itself\\r\\nDeviceRegistryEvents\\r\\n| where ActionType == \\\"RegistryValueSet\\\"\\r\\n| where RegistryKey has_any (selection_main)\\r\\n| where (RegistryKey matches regex @\\\"(?i)(\\\\\\\\Real-Time Protection|\\\\\\\\Reporting|\\\\\\\\SpyNet)$\\\" and RegistryValueName has_any (selection_dword_1) and RegistryValueType =~ \\\"Dword\\\" and RegistryValueData == 1 )//DWORD (0x00000001) \\r\\nor \\r\\n(RegistryKey matches regex @\\\"(?i)(\\\\\\\\App and Browser protection|\\\\\\\\Features|\\\\\\\\MpEngine|\\\\\\\\Signature Update|\\\\\\\\SpyNet|\\\\\\\\Windows Defender Exploit Guard\\\\\\\\Controlled Folder Access)$\\\" and RegistryValueName has_any(selection_dword_0) and RegistryValueType =~ \\\"Dword\\\" and RegistryValueData == 0 )//DWORD (0x00000000) \\r\\n| where not(InitiatingProcessFolderPath has_any (exclusion_defender) and InitiatingProcessFileName == \\\"msmpeng.exe\\\") //Exclude activities from Microsoft Defender itself\\r\\n//| summarize count(), start_TimeStamp =min(TimeGenerated),last_TimeStamp=max(TimeGenerated), set_DeviceName=make_set(DeviceName), DeviceNum=dcount(DeviceName), set_RegistryValueName=make_set(RegistryValueName) by ActionType, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, TenantId\\r\\n//| project start_TimeStamp, last_TimeStamp, ActionType, InitiatingProcessParentFileName, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, set_RegistryValueName, DeviceNum, set_DeviceName, count_, TenantId\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1562.001 ImpairDefenses - Disable Defender Functionalities Via Registry Keys\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceRegistryEvents\\r\\n| where RegistryKey endswith @\\\"\\\\Control\\\\MiniNt\\\" \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1562.002 - Impair Defenses: Disable Windows Logging\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic(['1102','104']);\\r\\nunion isfuzzy=true \\r\\n(SecurityEvent\\r\\n| where EventSourceName =~ \\\"Microsoft-Windows-Eventlog\\\" and EventID in (c1)),\\r\\n(WindowsEvent\\r\\n| where Provider =~ \\\"Microsoft-Windows-Eventlog\\\" and EventID in (c1)),\\r\\n(Event\\r\\n| where EventLog =~ \\\"Microsoft-Windows-Eventlog\\\" and EventID in (c1)) \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1562.002 - Impair Defenses: Disable Windows Logging on EventID\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_wevtutil = dynamic([\\\"/e:false\\\", \\\"cl\\\", \\\"clear-log\\\"]);\\r\\nDeviceProcessEvents\\r\\n| where ProcessCommandLine has \\\"WEVTUTIL\\\" and ProcessCommandLine has_any(selection_wevtutil)\\r\\n//| summarize count(), first_seen = min(TimeGenerated), last_seen = max(TimeGenerated) by TenantId, DeviceName, AccountName, InitiatingProcessFolderPath, FolderPath, ProcessCommandLine\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1562.002 Impair Defenses: Disable Windows Logging using wevtutil\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| where ActionType == \\\"BrowserLaunchedToOpenUrl\\\" and isnotempty(RemoteUrl) \\r\\n| where base64_decode_tostring(extract(@\\\".+http.*\\\\%2F([A-Za-z0-9+\\\\/]{6,}=?)\\\", 1, RemoteUrl)) has_any (\\\".gov\\\", \\\".com\\\") \",\"size\":4,\"showAnalytics\":true,\"title\":\"T1027.006 - HTML Smuggling\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 7 - Copy - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Credential Access https://attack.mitre.org/tactics/TA0006/\",\"style\":\"success\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"procdump\\\", \\\"lsass\\\"]); \\r\\nlet c2 = dynamic([\\\"rundll32\\\", \\\"comsvcs\\\", \\\"MiniDump\\\"]);\\r\\nlet c3 = dynamic(['MiniDump',' full']); \\r\\nlet c4 = 'sekurlsa'; \\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) or\\r\\nInitiatingProcessCommandLine has_all (c2) or ProcessCommandLine has_all (c2) or CommandLine has_all (c2) or\\r\\nInitiatingProcessCommandLine has_all (c3) or ProcessCommandLine has_all (c3) or CommandLine has_all (c3) or \\r\\nInitiatingProcessCommandLine has c4 or ProcessCommandLine has c4 or CommandLine has c4 \\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1003.001 - OS Credential Dumping LSASS Memory\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"ntds.dit\\\"]); \\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) \\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1003.003 - OS Credential Dumping Exfiltrate ntds.dit\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"Invoke-NinjaCopy\\\",\\\"Secretsdump.py\\\",\\\"DSInternals\\\"]);\\r\\nfind where InitiatingProcessCommandLine has_any (c1) or ProcessCommandLine has_any (c1) or CommandLine has_any (c1) \\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1003.003 - OS Credential Dumping: NTDS using Tools\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_properties = dynamic(['Replicating Directory Changes All','1131f6ad-9c07-11d1-f79f-00c04fc2dcd2','1131f6aa-9c07-11d1-f79f-00c04fc2dcd2','9923a32a-3607-11d2-b9be-0000f87a36b2','89e95b76-444d-4c62-991a-0facbeda640c']);\\r\\nlet selection_AccessMask = '0x100';\\r\\nlet filter1 = 'Window Manager';\\r\\nlet filter2 = @\\\"^(NT AUT|MSOL_)\\\";\\r\\nlet filter3 = \\\"$\\\";\\r\\nSecurityEvent\\r\\n| where EventID == 4662\\r\\n| where Properties has_any (selection_properties) and AccessMask == selection_AccessMask\\r\\n| where not(SubjectDomainName == filter1 or SubjectUserName matches regex filter2 or SubjectUserName endswith filter3)\\r\\n| summarize first_TimeStamp=min(TimeGenerated), last_TimeStamp=max(TimeGenerated), count(), set_SubjectDomainNAme = make_set(SubjectDomainName), set_SubjectUserName = make_set(SubjectUserName), set_Properties=make_set(Properties) by Account, Computer, TenantId\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1003.006 - OS Credential Dumping: DCSync\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"dir\\\", \\\".ssh\\\",\\\"known_hosts\\\"]); \\r\\nlet c2 = dynamic([\\\"dir\\\", @\\\"firefox\\\\profiles\\\"]); \\r\\nlet c3 = dynamic([\\\"reg\\\", \\\" query\\\", \\\"OpenSSH\\\"]); \\r\\nlet c4 = dynamic([\\\"reg\\\", \\\" query\\\", \\\"realvnc\\\"]); \\r\\nlet c5 = dynamic([\\\"reg\\\", \\\" query\\\", @\\\"putty\\\\session\\\"]); \\r\\nlet c6 = dynamic([\\\"reg\\\", \\\" save\\\", @\\\" hklm\\\\sam\\\", \\\" ss.dat\\\"]); \\r\\nlet c7 = dynamic([\\\"reg\\\", \\\" save\\\", @\\\" hklm\\\\system\\\", \\\" sy.dat\\\"]); \\r\\nfind where (InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1)) or\\r\\n(InitiatingProcessCommandLine has_all (c2) or ProcessCommandLine has_all (c2) or CommandLine has_all (c2)) or\\r\\n(InitiatingProcessCommandLine has_all (c3) or ProcessCommandLine has_all (c3) or CommandLine has_all (c3)) or \\r\\n(InitiatingProcessCommandLine has_all (c4) or ProcessCommandLine has_all (c4) or CommandLine has_all (c4)) or\\r\\n(InitiatingProcessCommandLine has_all (c5) or ProcessCommandLine has_all (c5) or CommandLine has_all (c5)) or\\r\\n(InitiatingProcessCommandLine has_all (c6) or ProcessCommandLine has_all (c6) or CommandLine has_all (c6)) or\\r\\n(InitiatingProcessCommandLine has_all (c7) or ProcessCommandLine has_all (c7) or CommandLine has_all (c7)) \\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1555 - Credentials from Password Stores\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = @'reg.*query\\\\s.*password';\\r\\nfind where InitiatingProcessCommandLine matches regex c1 or ProcessCommandLine matches regex c1 or CommandLine matches regex c1 \\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1552.002 - REGISTRY Password Dumping\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent \\r\\n | where EventID == 4769 \\r\\n | parse EventData with * 'ServiceName\\\">' ServiceName \\\"<\\\" * \\r\\n | where ServiceName contains \\\"pick\\\"\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs \\r\\n| where parse_json(RiskEventTypes_V2) has \\\"unfamiliarFeatures\\\" and RiskLevelDuringSignIn == \\\"high\\\"\\r\\n| where ResultType == \\\"0\\\"\\r\\n| where AppDisplayName == \\\"OfficeHome\\\"\\r\\n| project-reorder TimeGenerated,IPAddress, Location, UserPrincipalName, AppDisplayName, Category, ResultType, ResultDescription, RiskLevelDuringSignIn, RiskEventTypes_V2, RiskDetail, AutonomousSystemNumber, AuthenticationDetails\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1557 - AiTM - Phishing logging\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 2 \"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 7\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Discovery https://attack.mitre.org/tactics/TA0007/\",\"style\":\"success\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"curl\\\", \\\"www.ip-api.com\\\"]);\\r\\nlet c2 = dynamic([\\\"ldifde.exe\\\", \\\"subtree\\\"]);\\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) or\\r\\nInitiatingProcessCommandLine has_all (c2) or ProcessCommandLine has_all (c2) or CommandLine has_all (c2) \\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1016 - Enumerate Network Topology\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"Get-EventLog\\\", \\\"4624\\\"]);\\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) \\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1033 - Identify successful logons to the host\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 1 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"cmd\\\", \\\"wmic\\\", \\\"caption\\\", \\\"filesystem\\\"]); \\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) \\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1082 - System Information Discovery\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 1 \"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 8\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Lateral Movement https://attack.mitre.org/tactics/TA0008/\",\"style\":\"success\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let webserver_ip = ()\\r\\n{DeviceNetworkEvents\\r\\n| where InitiatingProcessFileName has_any ('w3wp','nginx','apache') and LocalIPType == \\\"Private\\\"\\r\\n| distinct LocalIP};\\r\\nDeviceNetworkEvents\\r\\n| where (LocalIP has_any (webserver_ip()) or DeviceName contains \\\"Web\\\") and RemotePort in (3389,22)\\r\\n| distinct RemoteIP, DeviceName,RemotePort, InitiatingProcessCommandLine\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1021 - Lateral Movement - Remote Services\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n| where RequestProtocol == \\\"Smb\\\" \\r\\n| where FileName endswith \\\".exe\\\" // Filter for executables, remove for a wider scope \\r\\n| summarize make_set(FileName), make_set(DeviceName), make_set(SHA1), make_set(ShareName), count() by RequestSourceIP, RequestAccountName\\r\\n| where count_ < 20 // Filter on lower count to reduce noise\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1021.002 - SMB/Windows Admin Shares\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 1 - Copy\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 9\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Command and Control https://attack.mitre.org/tactics/TA0011/\",\"style\":\"success\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"portproxy\\\", \\\"netsh\\\", \\\"add\\\"]);\\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1)\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1090 - Proxy\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 10\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Impact https://attack.mitre.org/tactics/TA0040/\",\"style\":\"success\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n| where ActionType in ('AsrRansomwareBlocked', 'AsrRansomwareAudited')\\r\\n| where FileName !in ('vssadmin.exe')\\r\\n| summarize arg_max(TimeGenerated, *), TotalEvents = count(), TriggeredFiles = make_set(FileName), FileHashes = make_set(SHA1), IntiatingProcesses = make_set(InitiatingProcessCommandLine) by DeviceName, AccountName\\r\\n| project TimeGenerated, DeviceName, AccountDomain, AccountName, TotalEvents, TriggeredFiles, FileHashes, IntiatingProcesses \\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"T1486 - ASR Ransomware - Detects when the ASR rule AsrRansomwareBlocked or AsrRansomwareAudited is triggered\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 1\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 10 - Copy\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Malware / Tools\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Impacket https://attack.mitre.org/software/S0357/\",\"style\":\"success\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([\\\"cmd.exe\\\", \\\"2>&1\\\", \\\"ADMIN$\\\"]);\\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) \\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0357 - Potential Impacket Execution \\\"dir\\\" command\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(union isfuzzy=true\\r\\n (SecurityEvent\\r\\n | where EventID == '5145'\\r\\n | where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @\\\".tmp\\\"\\r\\n | where ShareName has \\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\"\\r\\n ),\\r\\n (WindowsEvent\\r\\n | where EventID == '5145' \\r\\n | extend RelativeTargetName= tostring(EventData.RelativeTargetName)\\r\\n | extend ShareName= tostring(EventData.ShareName)\\r\\n | where RelativeTargetName has 'SYSTEM32' and RelativeTargetName endswith @\\\".tmp\\\"\\r\\n | where ShareName has \\\"\\\\\\\\\\\\\\\\*\\\\\\\\ADMIN$\\\"\\r\\n | extend Account = strcat(tostring(EventData.SubjectDomainName),\\\"\\\\\\\\\\\", tostring(EventData.SubjectUserName))\\r\\n )\\r\\n )\\r\\n | extend timestamp = TimeGenerated \\r\\n | extend NTDomain = split(Account, '\\\\\\\\', 0)[0], UserName = split(Account, '\\\\\\\\', 1)[0]\\r\\n | extend HostName = split(Computer, '.', 0)[0], DnsDomain = strcat_array(array_slice(split(Computer, '.'), 1, -1), '.')\\r\\n | extend Account_0_Name = UserName\\r\\n | extend Account_0_NTDomain = NTDomain\\r\\n | extend Host_0_HostName = HostName\\r\\n | extend Host_0_DnsDomain = DnsDomain\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0357 - Impacket Secretdump with SMB2\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Cobalt Strike https://attack.mitre.org/software/S0154/\",\"style\":\"success\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let badNames = dynamic([\\\"aaa.stage\\\",\\\"baa.stage\\\",\\\"caa.stage\\\", \\\"post.1\\\"]);\\r\\n(union isfuzzy=true\\r\\n(DnsEvents \\r\\n| where Name has_any (badNames)\\r\\n| extend Domain = Name, SourceIp = ClientIP, RemoteIP = todynamic(IPAddresses)\\r\\n| mvexpand RemoteIP\\r\\n| extend RemoteIP = tostring(RemoteIP)),\\r\\n(VMConnection\\r\\n| where isnotempty(RemoteDnsCanonicalNames) \\r\\n| parse RemoteDnsCanonicalNames with * '[\\\"' DNSName '\\\"]' *\\r\\n| where DNSName has_any (badNames)\\r\\n| extend Domain = DNSName, RemoteIP = RemoteIp\\r\\n))\\r\\n| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer\\r\\n| extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0154 - Cobalt Strike: DNS Beaconing\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_MSSE = dynamic([@'\\\\MSSE-', '-server']);\\r\\nlet selection_Pipename = dynamic(['\\\\\\\\postex_', '\\\\\\\\status_', '\\\\\\\\msagent_', '\\\\\\\\mojo_', '\\\\\\\\interprocess_', '\\\\\\\\samr_', '\\\\\\\\netlogon_', '\\\\\\\\srvsvc_', '\\\\\\\\lsarpc_', '\\\\\\\\wkssvc_']); // Also include the pipe \\\"\\\\postex_ssh_\\\"\\r\\nDeviceEvents\\r\\n| where ActionType == \\\"NamedPipeEvent\\\"\\r\\n| extend FileOperation_ = tostring(AdditionalFields.FileOperation)\\r\\n| extend PipeName_ = tostring(AdditionalFields.PipeName)\\r\\n| where FileOperation_ == \\\"File created\\\"\\r\\n| where PipeName_ has_all (selection_MSSE) or PipeName_ has_any (selection_Pipename)\\r\\n| where not(InitiatingProcessFolderPath contains \\\"kdsstm.exe\\\" and PipeName_ contains \\\"kyoceradocumentsolutions\\\") // Kyocera drivers\\r\\n//| summarize count(), earliest_Timestamp=min(TimeGenerated) by ActionType, DeviceName, InitiatingProcessParentFileName, InitiatingProcessAccountDomain, InitiatingProcessAccountName, InitiatingProcessFolderPath, InitiatingProcessCommandLine, FileOperation_, PipeName_, TenantId\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0154 - Cobalt Strike: NamedPipe\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2 \"},{\"type\":1,\"content\":{\"json\":\"### QakBot https://attack.mitre.org/software/S0650/\",\"style\":\"success\"},\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic(['net view', 'cmd /c set', 'nslookup-querytype=ALL -timeout=12', '_ldap._tcp.dc._msdcs.WORKGROUP', 'net share', 'net1 share', 'route print', 'net localgroup', 'whoami /all']);\\r\\nfind where InitiatingProcessCommandLine in (c1) or ProcessCommandLine in (c1) or CommandLine in (c1) \\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0650 - Qakbot: Post compromise commands\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic([@'/c ping.exe -n 6 127.0.0.1 & type']);\\r\\nlet c2 = dynamic(['regsvr32.exe','.tmp',@'C:\\\\ProgramData']);\\r\\nfind where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1) or\\r\\nInitiatingProcessCommandLine has_all (c2) or ProcessCommandLine has_all (c2) or CommandLine has_all (c2) \\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0650 - Qakbot: Process executions\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"35\",\"name\":\"query - 2 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let selection_1 = dynamic([@'SOFTWARE\\\\Microsoft\\\\Windows Defender\\\\Exclusions\\\\Paths', @'SOFTWARE\\\\Microsoft\\\\Microsoft Antimalware\\\\Exclusions\\\\Paths']); \\r\\nlet selection_2 = dynamic(['ADD ', @'/t ','REG_DWORD ',@'/v ',@'/d ', '0']); \\r\\nDeviceProcessEvents\\r\\n| where ActionType == \\\"ProcessCreated\\\"\\r\\n| where FolderPath endswith @'\\\\\\\\reg.exe'\\r\\n| where ProcessCommandLine has_any (selection_1) and ProcessCommandLine has_all (selection_2)\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0650 - Qakbot: Defender Exclusions\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"30\",\"name\":\"query - 2 \"},{\"type\":1,\"content\":{\"json\":\"### Bloodhound/Sharphound https://attack.mitre.org/software/S0521/\",\"style\":\"success\"},\"name\":\"text - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\" let c1 = dynamic([' -CollectionMethod All ', ' --CollectionMethods Session ', ' --Loop --Loopduration ', ' --PortScanTimeout ', '.exe -c All -d', 'Invoke-Bloodhound', 'Get-BloodHoundData']);\\r\\n let c2 = dynamic([' -JsonFolder ', ' -ZipFileName ']);\\r\\n let c3 = dynamic([' DCOnly ', ' --NoSaveCache ']);\\r\\n find where (InitiatingProcessCommandLine has_any (c1) or ProcessCommandLine has_any (c1) or CommandLine has_any (c1)) or \\r\\n InitiatingProcessCommandLine has_all (c2) or ProcessCommandLine has_all (c2) or CommandLine has_all (c2) or \\r\\n InitiatingProcessCommandLine has_all (c3) or ProcessCommandLine has_any (c3) or CommandLine has_all (c3) \\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0521 - Bloodhound/Sharphound Execution Commandlets\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2 \"},{\"type\":1,\"content\":{\"json\":\"### AdFind https://attack.mitre.org/software/S0552/\",\"style\":\"success\"},\"name\":\"text - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let c1 = dynamic(['domainlist', 'trustdmp', 'dcmodes', 'adinfo', ' dclist ', 'computer_pwdnotreqd', 'objectcategory=', '-subnets -f', 'name=\\\"Domain Admins\\\"', '-sc u:', 'domainncs', 'dompol', ' oudmp ', 'subnetdmp', 'gpodmp', 'fspdmp', 'users_noexpire', 'computers_active', 'computers_pwdnotreqd']);\\r\\nfind where \\r\\nFileName =~ \\\"AdFind.exe\\\" or ProcessVersionInfoOriginalFileName =~ \\\"AdFind.exe\\\" or \\r\\nInitiatingProcessFileName =~ \\\"AdFind.exe\\\" or InitiatingProcessVersionInfoOriginalFileName =~ \\\"AdFind.exe\\\" or Process =~ \\\"AdFind.exe\\\" or\\r\\nProcessCommandLine has_any (c1) \\r\\n\\r\\n\\r\\n\",\"size\":4,\"showAnalytics\":true,\"title\":\"S0552 - AdFind Execution\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"rowLimit\":10000}},\"customWidth\":\"50\",\"name\":\"query - 2 \"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TH ADS\"},\"name\":\"group - 11\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"title\":\"Open Source TI hunts\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Threat Hunts based on Open-Source-Threat-Intel-Feeds\\n\\nref.
\\n[Bert-Jan](https://github.com/Bert-JanP/Open-Source-Threat-Intel-Feeds)
\\n[montysecurity](https://github.com/montysecurity)
\\n[tweetfeed.live](https://tweetfeed.live/)
\\n[drb-ra](https://github.com/drb-ra/C2IntelFeeds)
\\n\"},\"name\":\"text - 0\"},{\"type\":1,\"content\":{\"json\":\"# IP IOCs \",\"style\":\"success\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"// TI - montysecurity\\nlet BruteRatel = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Brute%20Ratel%20C4%20IPs.txt\\\"] | extend Tag='BruteRatel', TIFeed='montysecurity';\\nlet AresRat = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Ares%20RAT%20C2%20IPs.txt\\\"] | extend Tag='AresRat', TIFeed='montysecurity';\\nlet CalderaC2 = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Caldera%20C2%20IPs.txt\\\"] | extend Tag='CalderaC2', TIFeed='montysecurity';\\nlet CobaltStrike = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Cobalt%20Strike%20C2%20IPs.txt\\\"] | extend Tag='CobaltStrike', TIFeed='montysecurity';\\nlet Covenant = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://raw.githubusercontent.com/montysecurity/C2-Tracker/main/data/Covenant%20C2%20IPs.txt\\\"] | extend Tag='Covenant', TIFeed='montysecurity';\\nlet MetasploitFrameworkC2 = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://github.com/montysecurity/C2-Tracker/raw/main/data/Metasploit%20Framework%20C2%20IPs.txt\\\"] | extend Tag='MetasploitFrameworkC2', TIFeed='montysecurity';\\nlet RemcosProRAT = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://github.com/montysecurity/C2-Tracker/raw/main/data/Remcos%20Pro%20RAT%20Trojan%20IPs.txt\\\"] | extend Tag='RemcosProRAT', TIFeed='montysecurity';\\nlet SliverC2 = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://github.com/montysecurity/C2-Tracker/raw/main/data/Remcos%20Pro%20RAT%20Trojan%20IPs.txt\\\"] | extend Tag='SliverC2', TIFeed='montysecurity';\\nlet montysecurity_all = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://github.com/montysecurity/C2-Tracker/raw/main/data/all.txt\\\"] | extend Tag='montysecurity_all', TIFeed='montysecurity';\\n// tweetfeed.live\\nlet tweetfeed_live = externaldata( Date_:datetime, reporter:string, type:string, IP:string, tag:string , twiter:string, Tag:string, TIFeed:string)[@\\\"https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/month.csv\\\"] | where type=='ip' | extend Tag=strcat(tag,\\\" - \\\", twiter), TIFeed='tweetfeed.live';\\n// proofpoint\\nlet proofpoint = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://rules.emergingthreats.net/blockrules/compromised-ips.txt\\\"] | extend Tag='compromised-ips', TIFeed='proofpoint';\\n// CINS // 15000\\nlet cins = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://cinsscore.com/list/ci-badguys.txt\\\"] | extend Tag='CI-badguys', TIFeed='CINS';\\n// drb-ra C2IntelFeeds\\nlet ['drb-ra'] = externaldata(IP:string, Tag:string, TIFeed:string)[@\\\"https://github.com/drb-ra/C2IntelFeeds/raw/master/feeds/IPC2s-30day.csv\\\"] | extend Tag=strcat(Tag, ' - C2IntelFeeds'), TIFeed='drb-ra';\\nlet whitelist= dynamic(['']); // Add IPs to whitelist\\nlet IPList = union BruteRatel,AresRat, CalderaC2,CobaltStrike,Covenant, MetasploitFrameworkC2, RemcosProRAT, SliverC2, montysecurity_all, tweetfeed_live, proofpoint,cins,['drb-ra'] | where IP !in (whitelist) | summarize TIName=make_set(Tag) by IP, TIFeed;\\nDeviceNetworkEvents\\n| where RemoteIP in (IPList)\\n//| where InitiatingProcessFileName !in ('svchost.exe','cvd.exe','cvfwd.exe','dns.exe','firefox.exe','msedge.exe','chrome.exe') //filter on process\\n//| where ActionType !in ('InboundConnectionAccepted') // filter on action type\\n| join IPList on $left.RemoteIP == $right.IP\\n| extend GeoIPInfo = geo_info_from_ip_address(RemoteIP)\\n| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude)\\n| project TimeGenerated, DeviceName, ActionType, RemoteIP, RemoteUrl, TIFeed, TIName, country, InitiatingProcessCommandLine, InitiatingProcessFileName, InitiatingProcessSHA1, InitiatingProcessFolderPath, InitiatingProcessParentFileName\\n\\n\",\"size\":2,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TI\"},\"name\":\"query - 44\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"TI\"},\"name\":\"TI1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"# Initial Investigation - Pivoting on compromised assets \\n\",\"style\":\"info\"},\"name\":\"text - 1\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"12605331-9507-4adf-999e-6cf39a0eda8c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"UserAccount\",\"type\":1,\"description\":\"Add user account(s) in array format e.g. \\\"user@domain.au\\\",\\\"user3\\\"\",\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\",\"multiLineHeight\":2},\"timeContext\":{\"durationMs\":86400000},\"value\":\"\\\"user@domain.au\\\",\\\"user3\\\"\"},{\"id\":\"3c68e0ad-30ce-4fb3-9102-d9277f3a7b72\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_IOC\",\"label\":\"IP Addresses\",\"type\":1,\"description\":\"Add IP addresses in array format e.g. \\\"1.1.1.1\\\",\\\"8.8.8.8\\\"\",\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\",\"multiLineHeight\":2},\"timeContext\":{\"durationMs\":86400000},\"value\":\"\\\"1.1.1.1\\\",\\\"8.8.8.8\\\"\"},{\"id\":\"3c9a6385-4ff8-4c03-86ae-95b300deed1e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Host_IOC\",\"type\":1,\"description\":\"Add host names in array format e.g. \\\"host1\\\",\\\"host2\\\"\",\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\",\"multiLineHeight\":2},\"timeContext\":{\"durationMs\":86400000},\"value\":\"\\\"host1\\\",\\\"host2\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Security alerts in past 30 days\",\"style\":\"success\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\n| where TimeGenerated > ago(30d)\\n| summarize arg_max(TimeGenerated, *) by SystemAlertId\\n| where Entities has_any ({Host_IOC}) or CompromisedEntity has_any ({Host_IOC})\\nor Entities has_any ({UserAccount}) or CompromisedEntity has_any ({UserAccount}) \\nor Entities has_any ({IP_IOC}) or CompromisedEntity has_any ({IP_IOC}) \\n| project StartTime, AlertName, AlertSeverity, CompromisedEntity, Entities, AlertLink | order by StartTime asc \",\"size\":0,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertLink\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Go to Alert\"}}]},\"sortBy\":[]},\"name\":\"query - 0\"}]},\"name\":\"Security Alerts\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Host activities\",\"style\":\"success\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceProcessEvents\\n| where DeviceName has_any ({Host_IOC}) \\n| where AccountName != \\\"system\\\" // If you suspect that the system user is compromised, remove this filter.\\n| where InitiatingProcessFileName == \\\"powershell.exe\\\"\\n| sort by TimeGenerated\\n| top 100 by TimeGenerated\\n| project TimeGenerated, DeviceName, ActionType, FileName, ProcessCommandLine, AccountDomain, AccountName, InitiatingProcessCommandLine\\n\",\"size\":1,\"title\":\"DeviceProcessEvents - Powershell executions\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceProcessEvents\\n| where DeviceName has_any ({Host_IOC}) \\n| where FileName in (\\\"net.exe\\\", \\\"net1.exe\\\")\\n| extend NetActionType = case(ProcessCommandLine has \\\"accounts\\\", \\\"ACCOUNTS\\\",\\n ProcessCommandLine has \\\"group\\\", \\\"GROUP\\\",\\n ProcessCommandLine has \\\"user\\\", \\\"USER\\\",\\n ProcessCommandLine has \\\"localgroup\\\", \\\"LOCALGROUP\\\",\\n \\\"Other\\\")\\n| where NetActionType != \\\"Other\\\"\\n| project-reorder TimeGenerated, ProcessCommandLine\\n| sort by TimeGenerated\",\"size\":1,\"title\":\"DeviceProcessEvents - net.exe activities\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkEvents\\n| where DeviceName has_any ({Host_IOC}) \\n| where RemotePort == 445\\n| where ActionType == \\\"ConnectionSuccess\\\"\",\"size\":1,\"title\":\"DeviceNetworkEvents - successful SMB connections\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\n| where RequestProtocol == \\\"Smb\\\" //and FileName endswith \\\".exe\\\"\\n| where DeviceName has_any ({Host_IOC}) or RequestAccountName has_any ({UserAccount})\\n| summarize FileName_=make_set(FileName), DeviceName_=make_set(DeviceName), SHA1_=make_set(SHA1), ShareName_=make_set(ShareName), count() by RequestSourceIP\",\"size\":1,\"title\":\"DeviceFileEvents - File transfers - SMB/Windows Admin Shares \",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\n| where DeviceName has_any ({Host_IOC}) \\n| where ActionType == \\\"AntivirusDetection\\\"\\n| summarize TotalDetections = count() by DeviceName , FileName, SHA1 \",\"size\":1,\"title\":\"DeviceEvents - Antivirus events\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"IdentityLogonEvents \\n| where DeviceName has_any ({Host_IOC}) \\n| summarize\\n TotalDevicesAccessed = dcount(DestinationDeviceName),\\n DevicesAccessed = make_set(DestinationDeviceName),\\n ProtocolsUsed = make_set(Protocol)\\n by DeviceName\",\"size\":1,\"title\":\"IdentityLogonEvents - Devices that have been accessed by a compromised device\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy - Copy - Copy - Copy - Copy\"}]},\"name\":\"Host entities\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### User account activities\",\"style\":\"success\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs\\n| where ResultType == 0\\n| where UserPrincipalName has_any ({UserAccount})\\n// In case of all details remove line below\\n| project TimeGenerated, UserPrincipalName, Category, Location, IPAddress, AppDisplayName, ClientAppUsed, RiskState\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"SigninLogs - Sign Ins by comrpomised account\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\n| where SenderFromAddress has_any ({UserAccount})\\n| where AttachmentCount > 0\\n| join kind=leftouter EmailAttachmentInfo on NetworkMessageId\\n| project TimeGenerated, NetworkMessageId, SenderFromAddress, RecipientEmailAddress, Subject, ThreatTypes, SHA256\\n| join kind=leftouter DeviceFileEvents on SHA256\\n| summarize\\n EmailReciepients = make_set(RecipientEmailAddress),\\n Subject= make_set(Subject),\\n FileOnDevices = make_set(DeviceName)\\n by SHA256, NetworkMessageId\\n| extend\\n TotalReciepients = array_length(EmailReciepients),\\n DeviceWithFileInteraction = array_length(FileOnDevices)\",\"size\":1,\"showAnalytics\":true,\"title\":\"EmailEvents/DeviceFileEvents - Attachments sent from a compromised mailbox\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"filter\":true}},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AuditLogs\\n| extend InitiatingUser = parse_json(InitiatedBy.user)\\n| extend InitatingUPN = parse_json(InitiatingUser).userPrincipalName\\n| where InitatingUPN has_any ({UserAccount})\\n| project-reorder TimeGenerated, InitatingUPN, OperationName, ResultDescription, ActivityDisplayName, Resource, Result\\n\",\"size\":1,\"showAnalytics\":true,\"title\":\"AuditLogs - List AuditLog activities by user\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"33\",\"name\":\"query - 0 - Copy\"}]},\"name\":\"Account entities\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"piv\"},\"name\":\"group - 13\"}],\"isLocked\":false,\"fallbackResourceIds\":[],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", + "version": "1.0", + "sourceId": "[variables('workbookSourceId')]", + "category": "[parameters('workbookType')]" + } + } + ], + "outputs": { + "workbookId": { + "type": "string", + "value": "[resourceId( 'microsoft.insights/workbooks', parameters('workbookId'))]" + } + }, + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" +} \ No newline at end of file diff --git a/utilities/tools/Gap-Analysis/Gap-Analysis-Workbook-WASOCv1.0.json b/utilities/tools/Gap-Analysis-Workbook-WASOCv1.0.json similarity index 100% rename from utilities/tools/Gap-Analysis/Gap-Analysis-Workbook-WASOCv1.0.json rename to utilities/tools/Gap-Analysis-Workbook-WASOCv1.0.json diff --git a/utilities/tools/Gap-Analysis/README.md b/utilities/tools/Gap-Analysis/README.md deleted file mode 100644 index ddf5d81fc..000000000 --- a/utilities/tools/Gap-Analysis/README.md +++ /dev/null @@ -1,12 +0,0 @@ -**WASOC GAP Analysis** - -Use the following deploy button to deploy the Gap Analysis workbook: - -

- -| **Gap Analysis Workbook** | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fwagov%2Fwasocshared%2Fmain%2Futilities%2Ftools%2FGap-Analysis%2FGap-Analysis-Workbook-WASOCv1.0.json) | -| ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | - -
- -For detailed steps on the deployment, go to ['How To' Deploy the GAP Analysis workbook](/utilities/guides/gap-analysis-workbook-deployment.md). diff --git a/utilities/tools/README.md b/utilities/tools/README.md new file mode 100644 index 000000000..9a78ca25f --- /dev/null +++ b/utilities/tools/README.md @@ -0,0 +1,19 @@ +**WASOC Workbooks** + +Use the following deploy links to deploy WASOC workbooks: + +| Name | Deployment Link | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| **Gap Analysis Workbook** | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fwagov%2Fwasocshared%2Fmain%2Futilities%2Ftools%2FGap-Analysis-Workbook-WASOCv1.0.json) | +| **WAGov - Threat Hunting - Rapid IOC Search** | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fwagov%2Fwasocshared%2Fmain%2Futilities%2Ftools%2FRapid-IOC-Search-Workbook-WASOCv1.0.json) | +| **AD-Hoc Threat hunting activities** | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fwagov%2Fwasocshared%2Fmain%2Futilities%2Ftools%2FAD-Hoc-Threat-Hunting-Activities-WASOCv1.0.json) | + +'How to' guides: + +[How to Deploy a Workbook With ARM Template](/utilities/guides/Workbook-Deployment.md) + +[How to use the GAP Analysis workbook](/utilities/guides/Gap-Analysis-Workbook.md) + +[How to use the Rapid IOC workbook](/utilities/guides/Rapid-IOC-Workbook.md) + +[How to use the Ad-Hoc Threat Hunting workbook](/utilities/guides/AD-Hoc-Threat-Hunting-Workbook.md) diff --git a/utilities/tools/Rapid-IOC-Search-Workbook-WASOCv1.0.json b/utilities/tools/Rapid-IOC-Search-Workbook-WASOCv1.0.json new file mode 100644 index 000000000..47c52a63d --- /dev/null +++ b/utilities/tools/Rapid-IOC-Search-Workbook-WASOCv1.0.json @@ -0,0 +1,61 @@ +{ + "contentVersion": "1.0.0.0", + "parameters": { + "workbookDisplayName": { + "type": "string", + "defaultValue": "WAGov - Threat Hunting - Rapid IOC Search", + "metadata": { + "description": "The friendly name for the workbook that is used in the Gallery or Saved List. This name must be unique within a resource group." + } + }, + "workbookType": { + "type": "string", + "defaultValue": "sentinel", + "metadata": { + "description": "The gallery that the workbook will been shown under. Supported values include workbook, tsg, etc. Usually, this is 'workbook'" + } + }, + "WorkspaceName": { + "type": "string", + "defaultValue": "", + "minLength": 1, + "metadata": { + "description": "The name of the Log Analytics workspace to which this workbook will be associated" + } + }, + "workbookId": { + "type": "string", + "defaultValue": "[newGuid()]", + "metadata": { + "description": "The unique guid for this workbook instance" + } + } + }, +"variables": { + "workbookSourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('WorkspaceName'))]" + }, + "resources": [ + { + "name": "[parameters('workbookId')]", + "type": "microsoft.insights/workbooks", + "location": "[resourceGroup().location]", + "apiVersion": "2022-04-01", + "dependsOn": [], + "kind": "shared", + "properties": { + "displayName": "[parameters('workbookDisplayName')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"value::selected\"],\"parameters\":[{\"id\":\"8e7728b6-d24b-484f-8882-30681973ac2a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Resources\\r\\n| summarize Count = count() by subscriptionId\\r\\n| order by Count desc\\r\\n| extend Rank = row_number()\\r\\n| project value = subscriptionId, label = subscriptionId, selected = Rank == 1\",\"crossComponentResources\":[\"value::selected\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[]},{\"id\":\"41102d0e-96f6-42aa-9496-d43573a7537a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"query\":\"resources | where type =~ 'Microsoft.operationsmanagement/solutions' | where name contains 'SecurityInsights' | project id = tostring(properties.workspaceResourceId)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[],\"showDefault\":false},\"timeContext\":{\"durationMs\":86400000},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":null},{\"id\":\"79b21540-298d-4224-8349-fb32b4cb02e9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":2592000000}},{\"id\":\"8d9f06c4-b230-46cc-ae35-4c6b6ddb25c5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Instructions\",\"label\":\"Show Instructions\",\"type\":10,\"typeSettings\":{\"additionalResourceOptions\":[]},\"jsonData\":\"[\\n { \\\"value\\\":\\\"Hide\\\", \\\"label\\\":\\\"Hide\\\",\\\"selected\\\":true},\\n { \\\"value\\\":\\\"Show\\\", \\\"label\\\":\\\"Show\\\" }\\n]\",\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\"},\"name\":\"parameters - 1\"},{\"type\":1,\"content\":{\"json\":\"This workbook help analyst to perform IOC threat hunting activites in their own agency. The search results allow SOC Analyst to immediately identify table and agency of interest, to be able to perform deeper analysis at agency's own workspaces. \\nPlease Note: The workbooks does not guarantee 100% coverage of all logs, Security analyst needs to perform further analysis in Log Analytics workspace.\\n\\n---\\n## Instructions:\\n1. Select Workspace (Default to all)\\n2. Define Time Range of search.\\n3. Prepare your IOCs. Supported IOCs (FileHash,IP Address, URL, Email)\\n4. Copy-paste your search query into the \\\"Search Query\\\" field\\n5. Contact cybersecurity@dpc.wa.gov.au for further enquiries and training on this workbook\"},\"conditionalVisibility\":{\"parameterName\":\"Instructions\",\"comparison\":\"isEqualTo\",\"value\":\"Show\"},\"name\":\"text - 0\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"tabStyle\":\"bigger\",\"links\":[{\"id\":\"4d3e6860-e43a-4b79-acac-f7fa20cfe0a5\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"IP Address\",\"subTarget\":\"ip\",\"style\":\"link\"},{\"id\":\"dd6cbcf7-9e1f-4533-8003-45b4d2e989e8\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"File Hash\",\"subTarget\":\"filehash\",\"style\":\"link\"},{\"id\":\"61df5b01-b497-4525-94b0-cad9d87aaea0\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"URL\",\"subTarget\":\"url\",\"style\":\"link\"},{\"id\":\"f861bc97-f235-414b-82df-898af0b47a87\",\"cellValue\":\"Tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Email (External)\",\"subTarget\":\"email_external\",\"style\":\"link\"}]},\"name\":\"links - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"28514c62-46bc-49f9-9b5e-ce7b5512200e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_IOC\",\"label\":\"IP Addresses\",\"type\":1,\"description\":\"Add IP addresses in array format e.g. (\\\"1.1.1.1\\\",\\\"8.8.8.8\\\")\",\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\"},\"timeContext\":{\"durationMs\":86400000},\"value\":\"(\\\"8.8.8.8\\\",\\\"1.1.1.1\\\")\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 3\"},{\"type\":1,\"content\":{\"json\":\"### SecurityAlert\"},\"name\":\"text - 47\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n|summarize arg_max(TimeGenerated,*) by SystemAlertId\\r\\n| extend Entities = iff(isempty(Entities), todynamic('[{\\\"dummy\\\" : \\\"\\\"}]'), todynamic(Entities))\\r\\n| mvexpand Entities\\r\\n| evaluate bag_unpack(Entities, \\\"Entity_\\\")\\r\\n| extend Entity_Type = columnifexists(\\\"Entity_Type\\\", \\\"\\\")\\r\\n| extend Entity_Name = columnifexists(\\\"Entity_Name\\\", \\\"\\\")\\r\\n| extend Entity_ResourceId = columnifexists(\\\"Entity_ResourceId\\\", \\\"\\\")\\r\\n| extend Entity_Directory = columnifexists(\\\"Entity_Directory\\\", \\\"\\\")\\r\\n| extend Entity_Value = columnifexists(\\\"Entity_Value\\\", \\\"\\\")\\r\\n| extend Entity_HostName = columnifexists(\\\"Entity_HostName\\\", \\\"\\\")\\r\\n| extend Entity_Address = columnifexists(\\\"Entity_Address\\\", \\\"\\\")\\r\\n| extend Entity_ProcessId = columnifexists(\\\"Entity_ProcessId\\\", \\\"\\\")\\r\\n| extend Entity_Url = columnifexists(\\\"Entity_Url\\\", \\\"\\\")\\r\\n| extend Target = iif(Entity_Type == \\\"account\\\", Entity_Name, iif(Entity_Type == \\\"azure-resource\\\", Entity_ResourceId, iif(Entity_Type == \\\"cloud-application\\\", Entity_Name, iif(Entity_Type == \\\"dns\\\", Entity_Name, iif(Entity_Type == \\\"file\\\", strcat(Entity_Directory, \\\"\\\\\\\\\\\", Entity_Name), iif(Entity_Type == \\\"filehash\\\", Entity_Value, iif(Entity_Type == \\\"host\\\", Entity_HostName, iif(Entity_Type == \\\"ip\\\" , Entity_Address, iif(Entity_Type == \\\"malware\\\", Entity_HostName, iif(Entity_Type == \\\"network-connection\\\", Entity_Name, iif(Entity_Type == \\\"process\\\", Entity_ProcessId, iif(Entity_Type == \\\"registry-key\\\", Entity_Name, iif(Entity_Type == \\\"registry-value\\\", Entity_Name, iif(Entity_Type == \\\"security-group\\\", Entity_Name, iif(Entity_Type == \\\"url\\\", Entity_Url, \\\"NoTarget\\\")))))))))))))))\\r\\n| where Entity_Type == \\\"ip\\\"\\r\\n|where Target has_any {IP_IOC}\\r\\n|summarize IOC=make_set(Target), AlertName=make_set(AlertName),SystemAlertId=make_set(SystemAlertId) ,count_=count(Target) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend AlertName = tostring(strcat_array(AlertName,\\\", \\\")), SystemAlertId = tostring(strcat_array(SystemAlertId,\\\", \\\"))\\r\\n|project AlertName, SystemAlertId, count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"SecurityAlert - IP\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"SystemAlertId\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"name\":\"SecurityAlert\"},{\"type\":1,\"content\":{\"json\":\"### Azure Active Directory\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SigninLogs\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where IPAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPAddress), count_=count(IPAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"SigninLogs - IPAddress\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"AAD-1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADNonInteractiveUserSignInLogs\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where IPAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPAddress), count_=count(IPAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"AADNonInteractiveUserSignInLogs - IPAddress\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"AAD-2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AADServicePrincipalSignInLogs\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where IPAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPAddress), count_=count(IPAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"AADServicePrincipalSignInLogs - IPAddress\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"AAD-3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ADFSSignInLogs\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where IPAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPAddress), count_=count(IPAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"ADFSSignInLogs - IPAddress\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"Agency_Short\",\"label\":\"Agency\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"AAD-4\"},{\"type\":1,\"content\":{\"json\":\"### Azure Activity, Azure AD Identity Protection,Microsoft Defender for Cloud, Azure Information Protection\"},\"name\":\"text - 2 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureActivity\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where CallerIpAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(CallerIpAddress), count_=count(CallerIpAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"AzureActivity - CallerIpAddress\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"AzureActivity-1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n|where ProviderName == \\\"IPC\\\"\\r\\n|extend IPAddress_ = tostring(parse_json(ExtendedProperties).[\\\"Client IP Address\\\"])\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where IPAddress_ has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPAddress_), count_=count(IPAddress_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Azure AD Identity Protection - IPAddress_\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"AADIPC-1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n|where ProviderName == \\\"Azure Security Center\\\"\\r\\n|extend IPAddress_ = tostring(parse_json(ExtendedProperties).Answers)\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where IPAddress_ has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPAddress_), count_=count(IPAddress_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"showAnalytics\":true,\"title\":\"Microsoft Defender for Cloud - IPAddress_\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"Agency_Short\",\"label\":\"Agency\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"Microsoft Defender for Cloud\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"InformationProtectionLogs_CL\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where IPv4_s has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPv4_s), count_=count(IPv4_s) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Azure Information Protection - IPv4_s\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContext\":{\"durationMs\":14400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"AzureInformationProtection-IP\"},{\"type\":1,\"content\":{\"json\":\"### DNS Inventory\"},\"name\":\"text - 2 - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DnsEvents\\r\\n|where SubType == \\\"LookupQuery\\\"\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where IPAddresses has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPAddresses), count_=count(IPAddresses) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"DNSEvents - IPAddresses\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"DNSEvents-1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DnsEvents\\r\\n|where SubType == \\\"LookupQuery\\\"\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where MaliciousIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(MaliciousIP), count_=count(MaliciousIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"DNSEvents - MaliciousIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"Agency_Short\",\"label\":\"Agency\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"DNSEvents-2\"},{\"type\":1,\"content\":{\"json\":\"### CommonSecurityLog\"},\"name\":\"text - 2 - Copy - Copy - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where SourceIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(SourceIP), count_=count(SourceIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"CommonSecurityLog- SourceIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"CommonSecurityLog-1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where DestinationIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(DestinationIP), count_=count(DestinationIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"CommonSecurityLog- DestinationIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"CommonSecurityLog-2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where MaliciousIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(MaliciousIP), count_=count(MaliciousIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"CommonSecurityLog- MaliciousIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"Agency_Short\",\"label\":\"Agency\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"CommonSecurityLog-3\"},{\"type\":1,\"content\":{\"json\":\"### OfficeActivity\"},\"name\":\"OfficeActivity\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where ClientIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(ClientIP),Type_=make_set(OfficeWorkload), count_=count(ClientIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend Type_ = tostring(strcat_array(Type_,\\\", \\\"))\\r\\n|project count_ ,IOC,Type_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"OfficeActivity (Other than Exchange) - ClientIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Agency\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"2fr\"}},{\"columnMatch\":\"count_\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"1fr\"}},{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"3fr\"}},{\"columnMatch\":\"Type_\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"2fr\"}}],\"sortBy\":[{\"itemKey\":\"count_\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"},{\"columnId\":\"Type_\",\"label\":\"Activity Type\"}]},\"sortBy\":[{\"itemKey\":\"count_\",\"sortOrder\":2}]},\"customWidth\":\"50\",\"name\":\"OfficeActivity-1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\r\\n|where OfficeWorkload == \\\"Exchange\\\"\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|where Client_IPAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(Client_IPAddress), count_=count(Client_IPAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"OfficeActivity(Exchange) - Client_IPAddress\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"OfficeActivity-2\"},{\"type\":1,\"content\":{\"json\":\"### Syslog\"},\"name\":\"Syslog\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Syslog\\r\\n|where TimeGenerated {TimeRange:query}\\r\\n|extend IPAddresses_ = extract_all(@\\\"((?:[0-9]{1,3}\\\\.){3}[0-9]{1,3})\\\",SyslogMessage) //Extracting IP addresses from Syslog Message\\r\\n|where isnotempty(IPAddresses_) //Further data filter, only show records with IP Addresses\\r\\n|mv-expand IPAddresses_ // Expand the dynamic results into individual rows\\r\\n|where IPAddresses_ has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPAddresses_), count_=count(IPAddresses_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Syslog - IPAddresses_ (Regex:SyslogMessage) \",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"name\":\"Syslog\"},{\"type\":1,\"content\":{\"json\":\"### Sysmon\"},\"name\":\"Event\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID ==3\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"SourceIp\\\\\\\">\\\" SourceIp \\\"\\\" * //parsing specific field inside EventID 3\\r\\n|summarize count() by TenantId, tostring(SourceIp) //Performance tweak\\r\\n|where SourceIp has_any {IP_IOC}\\r\\n|summarize IOC=make_set(SourceIp), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - EventID 3 - SourceIP \",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 3 - SourceIp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID ==3\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"DestinationIp\\\\\\\">\\\" DestinationIp \\\"\\\" * //parsing specific field inside EventID 3\\r\\n|summarize count() by TenantId, tostring(DestinationIp) //Performance tweak\\r\\n|where DestinationIp has_any {IP_IOC}\\r\\n|summarize IOC=make_set(DestinationIp), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - EventID 3 - DestinationIp\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 3 - DestinationIp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 22\\r\\n|project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"QueryResults\\\\\\\">\\\" QueryResults \\\"\\\" * //parsing specific field inside EventID 22\\r\\n|summarize count() by TenantId, tostring(QueryResults) //Performance tweak\\r\\n|where QueryResults has_any {IP_IOC}\\r\\n|summarize IOC=make_set(QueryResults), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project count_ ,IOC\\r\\n|sort by count_ desc\\r\\n\",\"size\":1,\"title\":\"Sysmon - EventID 22 - QueryResults\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Agency\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"count_\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"5%\"}},{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"QueryName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"90\",\"name\":\"Sysmon - 22 - QueryResults\"},{\"type\":1,\"content\":{\"json\":\"### Notes\\r\\n\\r\\nThe EventID:22 results contains resolved domain(s) only, given the vast variations of data format in the raw data\"},\"customWidth\":\"10\",\"name\":\"text - 27\"},{\"type\":1,\"content\":{\"json\":\"### Security Events\"},\"name\":\"Security Events\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n|where IpAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IpAddress),EventID=make_set(EventID), count_=count(IpAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend EventID = tostring(strcat_array(EventID,\\\", \\\"))\\r\\n|project EventID, IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"SecurityEvents - IpAddress\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"SecurityEvent-IpAddress\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n|where EventID in (5156,5157)\\r\\n|extend EvData = parse_xml(EventData)\\r\\n|extend EventDetail = EvData.EventData.Data\\r\\n| project-away EventData, EvData\\r\\n|extend SourceAddress = EventDetail.[3].[\\\"#text\\\"], DestAddress = EventDetail.[5].[\\\"#text\\\"]\\r\\n|where SourceAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(SourceAddress),EventID=make_set(EventID), count_=count(SourceAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend EventID = tostring(strcat_array(EventID,\\\", \\\"))\\r\\n|project EventID, IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"SecurityEvents - SourceAddress (EventID: 5156 & 5157 Only)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"SecurityEvent-SourceAddress\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n|where EventID in (5156,5157)\\r\\n|extend EvData = parse_xml(EventData)\\r\\n|extend EventDetail = EvData.EventData.Data\\r\\n| project-away EventData, EvData\\r\\n|extend SourceAddress = EventDetail.[3].[\\\"#text\\\"], DestAddress = EventDetail.[5].[\\\"#text\\\"]\\r\\n|where DestAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(DestAddress),EventID=make_set(EventID), count_=count(DestAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend EventID = tostring(strcat_array(EventID,\\\", \\\"))\\r\\n|project EventID, IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"SecurityEvents - DestAddress (EventID: 5156 & 5157 Only)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"SecurityEvent-DestAddress\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n|where EventID == 5158\\r\\n|extend EvData = parse_xml(EventData)\\r\\n|extend EventDetail = EvData.EventData.Data\\r\\n| project-away EventData, EvData\\r\\n|extend SourceAddress = EventDetail.[2].[\\\"#text\\\"]\\r\\n|where SourceAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(SourceAddress),EventID=make_set(EventID), count_=count(SourceAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend EventID = tostring(strcat_array(EventID,\\\", \\\"))\\r\\n|project EventID, IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"SecurityEvents - SourceAddress (EventID: 5158 Only)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"25\",\"name\":\"SecurityEvent-SourceAddress - 5158\"},{\"type\":1,\"content\":{\"json\":\"### Microsoft Defender For Endpoint\"},\"name\":\"Microsoft Defender for Endpoint\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n|where FileOriginIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(FileOriginIP), count_=count(FileOriginIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceEvents - FileOriginIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceEvents - FileOriginIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n|where LocalIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(LocalIP), count_=count(LocalIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceEvents - LocalIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceEvents - LocalIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n|where RemoteIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(RemoteIP), count_=count(RemoteIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceEvents - RemoteIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceEvents - RemoteIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n|where FileOriginIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(FileOriginIP), count_=count(FileOriginIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceFileEvents - FileOriginIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceFileEvents - FileOriginIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n|where RequestSourceIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(RequestSourceIP), count_=count(RequestSourceIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceFileEvents - RequestSourceIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceFileEvents - RequestSourceIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceInfo\\r\\n|where PublicIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(PublicIP), count_=count(PublicIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceInfo - PublicIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceInfo - PublicIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceLogonEvents\\r\\n|where RemoteIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(RemoteIP), count_=count(RemoteIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceLogonEvents - RemoteIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceLogonEvents- RemoteIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkEvents\\r\\n|where LocalIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(LocalIP), count_=count(LocalIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceNetworkEvents - LocalIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceNetworkEvents - LocalIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkEvents\\r\\n|where RemoteIP has_any {IP_IOC}\\r\\n|summarize IOC=make_set(RemoteIP), count_=count(RemoteIP) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceNetworkEvents - RemoteIP\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"33\",\"name\":\"MSDE - DeviceNetworkEvents - RemoteIP\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n|where IPv4Dhcp has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPv4Dhcp), count_=count(IPv4Dhcp) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceNetworkInfo - IPv4Dhcp\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceNetworkInfo - IPv4Dhcp\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkInfo\\r\\n|where IPv6Dhcp has_any {IP_IOC}\\r\\n|summarize IOC=make_set(IPv6Dhcp), count_=count(IPv6Dhcp) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceNetworkInfo - IPv6Dhcp\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceNetworkInfo - IPv6Dhcp\"},{\"type\":1,\"content\":{\"json\":\"## Microsoft Defender for Office 365\"},\"name\":\"text - 53\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n|where SenderIPv4 has_any {IP_IOC}\\r\\n|summarize IOC=make_set(SenderIPv4), count_=count(SenderIPv4) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - EmailEvents - SenderIPv4\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"50\",\"name\":\"MSDE - EmailEvents - SenderIPv4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\r\\n|where SenderIPv6 has_any {IP_IOC}\\r\\n|summarize IOC=make_set(SenderIPv6), count_=count(SenderIPv6) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|project IOC, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - EmailEvents - SenderIPv6\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}]},\"customWidth\":\"50\",\"name\":\"MSDE - EmailEvents - SenderIPv6\"},{\"type\":1,\"content\":{\"json\":\"### Azure Diagnostics\"},\"name\":\"text - 49\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n|where clientIp_s has_any {IP_IOC}\\r\\n|summarize IOC=make_set(clientIp_s), Category=make_set(Category), count_=count(clientIp_s) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")), Category = tostring(strcat_array(Category,\\\", \\\"))\\r\\n|project IOC, Category, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"AzureDiagnostics - clientIp_s\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"Category\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"AzureDiagnostics - clientIp_s \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n|where clientIP_s has_any {IP_IOC}\\r\\n|summarize IOC=make_set(clientIP_s), Category=make_set(Category), count_=count(clientIP_s) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")), Category = tostring(strcat_array(Category,\\\", \\\"))\\r\\n|project IOC, Category, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"AzureDiagnostics - clientIP_s\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"Category\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"33\",\"name\":\"AzureDiagnostics - clientIP_s\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n|where CallerIPAddress has_any {IP_IOC}\\r\\n|summarize IOC=make_set(CallerIPAddress), Category=make_set(Category), count_=count(CallerIPAddress) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")), Category = tostring(strcat_array(Category,\\\", \\\"))\\r\\n|project IOC, Category, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"AzureDiagnostics - CallerIPAddress\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"Category\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[{\"itemKey\":\"Agency\",\"sortOrder\":1}]},\"customWidth\":\"33\",\"name\":\"AzureDiagnostics - CallerIPAddress\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"AzureDiagnostics\\r\\n|where client_ip_s has_any {IP_IOC}\\r\\n|summarize IOC=make_set(client_ip_s), Category=make_set(Category), count_=count(client_ip_s) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")), Category = tostring(strcat_array(Category,\\\", \\\"))\\r\\n|project IOC, Category, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"AzureDiagnostics - client_ip_s\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"Category\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"33\",\"name\":\"AzureDiagnostics - client_ip_s\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"ip\"},\"name\":\"ip-address\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"version\":\"KqlParameterItem/1.0\",\"name\":\"SHA256_IOC\",\"label\":\"SHA256 Hash\",\"type\":1,\"description\":\"Add SHA1 hashes in array format e.g. (\\\"hash1\\\",\\\"hash2\\\")\",\"value\":\"(\\\"9327b77c27070db62a6da46f0c1d8da2725c5ae0c24d6ccf9be6aa0da5f99600\\\",\\\"f157090fd3ccd4220298c06ce8734361b724d80459592b10ac632acc624f455e\\\",\\\"f11009988b813821857c8d2db0f88e1d45b20762f62a3cf432339f352b12cefe\\\")\",\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\"},\"timeContext\":{\"durationMs\":86400000},\"id\":\"2732e809-7fbd-4241-a435-ad6d44ac07ec\"},{\"id\":\"519ef4e6-ec90-4fcf-9e77-79bd28e27e4e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"SHA1_IOC\",\"type\":1,\"description\":\"Add SHA 256 hashes in array format e.g. (\\\"hash1\\\",\\\"hash2\\\")\",\"value\":\"(\\\"c8f5825499315eaf4b5046ff79ac9553e71ad1c0\\\")\",\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\"},\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"fbe9622d-a202-4e71-b7cf-7a6f9343ca96\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IMPHASH\",\"type\":1,\"description\":\"Add IMPHASH hashes in array format e.g. (\\\"hash1\\\",\\\"hash2\\\")\",\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\"},\"timeContext\":{\"durationMs\":86400000},\"value\":\"(\\\"c8f5825499315eaf4b5046ff79ac9553e71ad1c0\\\")\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 0\"},{\"type\":1,\"content\":{\"json\":\"# Notes:\\r\\n- Prioritize in using SHA256 over SHA1, unless certain table that only accepts SHA1\\r\\n- If only SHA1 information available, use VirusTotal to grab the SHA256\"},\"conditionalVisibility\":{\"parameterName\":\"Instructions\",\"comparison\":\"isEqualTo\",\"value\":\"Show\"},\"name\":\"text - 16\"},{\"type\":1,\"content\":{\"json\":\"## SecurityAlert - FileHash\"},\"name\":\"SecurityAlert2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\r\\n|summarize arg_max(TimeGenerated,*) by SystemAlertId\\r\\n| extend Entities = iff(isempty(Entities), todynamic('[{\\\"dummy\\\" : \\\"\\\"}]'), todynamic(Entities))\\r\\n| mv-expand Entities\\r\\n| evaluate bag_unpack(Entities, \\\"Entity_\\\")\\r\\n| extend Entity_Type = columnifexists(\\\"Entity_Type\\\", \\\"\\\")\\r\\n| extend Entity_Name = columnifexists(\\\"Entity_Name\\\", \\\"\\\")\\r\\n| extend Entity_ResourceId = columnifexists(\\\"Entity_ResourceId\\\", \\\"\\\")\\r\\n| extend Entity_Directory = columnifexists(\\\"Entity_Directory\\\", \\\"\\\")\\r\\n| extend Entity_Value = columnifexists(\\\"Entity_Value\\\", \\\"\\\")\\r\\n| extend Entity_HostName = columnifexists(\\\"Entity_HostName\\\", \\\"\\\")\\r\\n| extend Entity_Address = columnifexists(\\\"Entity_Address\\\", \\\"\\\")\\r\\n| extend Entity_ProcessId = columnifexists(\\\"Entity_ProcessId\\\", \\\"\\\")\\r\\n| extend Entity_Url = columnifexists(\\\"Entity_Url\\\", \\\"\\\")\\r\\n| extend Target = iif(Entity_Type == \\\"account\\\", Entity_Name, iif(Entity_Type == \\\"azure-resource\\\", Entity_ResourceId, iif(Entity_Type == \\\"cloud-application\\\", Entity_Name, iif(Entity_Type == \\\"dns\\\", Entity_Name, iif(Entity_Type == \\\"file\\\", strcat(Entity_Directory, \\\"\\\\\\\\\\\", Entity_Name), iif(Entity_Type == \\\"filehash\\\", Entity_Value, iif(Entity_Type == \\\"host\\\", Entity_HostName, iif(Entity_Type == \\\"ip\\\" , Entity_Address, iif(Entity_Type == \\\"malware\\\", Entity_HostName, iif(Entity_Type == \\\"network-connection\\\", Entity_Name, iif(Entity_Type == \\\"process\\\", Entity_ProcessId, iif(Entity_Type == \\\"registry-key\\\", Entity_Name, iif(Entity_Type == \\\"registry-value\\\", Entity_Name, iif(Entity_Type == \\\"security-group\\\", Entity_Name, iif(Entity_Type == \\\"url\\\", Entity_Url, \\\"NoTarget\\\")))))))))))))))\\r\\n|where Entity_Type == \\\"filehash\\\"\\r\\n|where Entity_Algorithm == \\\"SHA256\\\"\\r\\n|where Target has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(Target), AlertName=make_set(AlertName),SystemAlertId=make_set(SystemAlertId) ,count_=count(Target) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend AlertName = tostring(strcat_array(AlertName,\\\", \\\")), SystemAlertId = tostring(strcat_array(SystemAlertId,\\\", \\\"))\\r\\n|project AlertName, SystemAlertId, count_ ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"SecurityAlert - FileHash - SHA256\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"SystemAlertId\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"name\":\"SecurityAlert - FileHash\"},{\"type\":1,\"content\":{\"json\":\"## CommonSecurityLog\"},\"name\":\"text - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n|where FileHash has_any {SHA1_IOC}\\r\\n|summarize IOC=make_set(FileHash), FileName=make_set(FileName) ,count_=count(FileHash) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\r\\n|project IOC, FileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"CommonSecurityLog - FileHash - SHA1\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"CommonSecurityLog - FileHash - SHA1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n|where FileHash has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(FileHash), FileName=make_set(FileName) ,count_=count(FileHash) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\r\\n|project IOC, FileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"CommonSecurityLog - FileHash - SHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"CommonSecurityLog - FileHash - SHA256\"},{\"type\":1,\"content\":{\"json\":\"## Sysmon\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 1\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"OriginalFileName\\\\\\\">\\\" OriginalFileName \\\"\\\" * \\\"\\\\\\\"Hashes\\\\\\\">\\\" Hashes \\\"\\\" *\\r\\n|summarize count() by TenantId, tostring(Hashes), tostring(OriginalFileName) //Performance tweak\\r\\n|where Hashes has_any {SHA256_IOC}\\r\\n// Hashes parse section --START\\r\\n|extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), tostring(Hashes)) //Transform Hashes field into dynamics format\\r\\n|mv-apply todynamic(Hashes) on (summarize Hashes = make_bag(pack(tostring(Hashes[0]), tostring(Hashes[1])))) //Address inconsistency on hashes used on different agencies\\r\\n|extend SHA256_Hash = tostring(Hashes.SHA256) //Grab only Hash 256\\r\\n// Hashes parse section --END\\r\\n|summarize IOC=make_set(SHA256_Hash), OriginalFileName=make_set(OriginalFileName), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")) , OriginalFileName = tostring(strcat_array(OriginalFileName,\\\", \\\"))\\r\\n|project count_ ,OriginalFileName ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - 1 - SHA256_Hash - SHA256 (Child Process)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 1 - SHA256_Hash - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 1\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"OriginalFileName\\\\\\\">\\\" OriginalFileName \\\"\\\" * \\\"\\\\\\\"Hashes\\\\\\\">\\\" Hashes \\\"\\\" *\\r\\n|summarize count() by TenantId, tostring(Hashes), tostring(OriginalFileName) //Performance tweak\\r\\n|where Hashes has_any {IMPHASH}\\r\\n// Hashes parse section --START\\r\\n|extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), tostring(Hashes)) //Transform Hashes field into dynamics format\\r\\n|mv-apply todynamic(Hashes) on (summarize Hashes = make_bag(pack(tostring(Hashes[0]), tostring(Hashes[1])))) //Address inconsistency on hashes used on different agencies\\r\\n|extend IMPHASH_Hash = tostring(Hashes.IMPHASH) //Grab only Hash 256\\r\\n// Hashes parse section --END\\r\\n|summarize IOC=make_set(IMPHASH_Hash), OriginalFileName=make_set(OriginalFileName), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")) , OriginalFileName = tostring(strcat_array(OriginalFileName,\\\", \\\"))\\r\\n|project count_ ,OriginalFileName ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - 1 - IMPHASH_Hash - IMPHASH (Child Process)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 1 - IMPHASH_Hash - IMPHASH\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 6\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"Hashes\\\\\\\">\\\" Hashes \\\"\\\" *\\r\\n|summarize count() by TenantId, tostring(Hashes) //Performance tweak\\r\\n|where Hashes has_any {SHA256_IOC}\\r\\n// Hashes parse section --START\\r\\n|extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), tostring(Hashes)) //Transform Hashes field into dynamics format\\r\\n|mv-apply todynamic(Hashes) on (summarize Hashes = make_bag(pack(tostring(Hashes[0]), tostring(Hashes[1])))) //Address inconsistency on hashes used on different agencies\\r\\n|extend SHA256_Hash = tostring(Hashes.SHA256) //Grab only Hash 256\\r\\n// Hashes parse section --END\\r\\n|summarize IOC=make_set(SHA256_Hash), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")) \\r\\n|project count_ , IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - 6 - SHA256_Hash - SHA256 (Driver Loaded)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 6 - SHA256_Hash - SHA256 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 6\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"Hashes\\\\\\\">\\\" Hashes \\\"\\\" *\\r\\n|summarize count() by TenantId, tostring(Hashes) //Performance tweak\\r\\n|where Hashes has_any {IMPHASH}\\r\\n// Hashes parse section --START\\r\\n|extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), tostring(Hashes)) //Transform Hashes field into dynamics format\\r\\n|mv-apply todynamic(Hashes) on (summarize Hashes = make_bag(pack(tostring(Hashes[0]), tostring(Hashes[1])))) //Address inconsistency on hashes used on different agencies\\r\\n|extend IMPHASH_Hash = tostring(Hashes.IMPHASH) //Grab only Hash 256\\r\\n// Hashes parse section --END\\r\\n|summarize IOC=make_set(IMPHASH_Hash), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")) \\r\\n|project count_ , IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - 6 - IMPHASH_Hash - IMPHASH (Driver Loaded)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 6 - IMPHASH_Hash - IMPHASH \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 7\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"OriginalFileName\\\\\\\">\\\" OriginalFileName \\\"\\\" * \\\"\\\\\\\"Hashes\\\\\\\">\\\" Hashes \\\"\\\" *\\r\\n|summarize count() by TenantId, tostring(Hashes), tostring(OriginalFileName) //Performance tweak\\r\\n|where Hashes has_any {SHA256_IOC}\\r\\n// Hashes parse section --START\\r\\n|extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), tostring(Hashes)) //Transform Hashes field into dynamics format\\r\\n|mv-apply todynamic(Hashes) on (summarize Hashes = make_bag(pack(tostring(Hashes[0]), tostring(Hashes[1])))) //Address inconsistency on hashes used on different agencies\\r\\n|extend SHA256_Hash = tostring(Hashes.SHA256) //Grab only Hash 256\\r\\n// Hashes parse section --END\\r\\n|summarize IOC=make_set(SHA256_Hash), OriginalFileName=make_set(OriginalFileName), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")) , OriginalFileName = tostring(strcat_array(OriginalFileName,\\\", \\\"))\\r\\n|project count_ ,OriginalFileName ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - 7 - SHA256_Hash - SHA256 (Image Loaded)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 7 - SHA256_Hash - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 7\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"OriginalFileName\\\\\\\">\\\" OriginalFileName \\\"\\\" * \\\"\\\\\\\"Hashes\\\\\\\">\\\" Hashes \\\"\\\" *\\r\\n|summarize count() by TenantId, tostring(Hashes), tostring(OriginalFileName) //Performance tweak\\r\\n|where Hashes has_any {IMPHASH}\\r\\n// Hashes parse section --START\\r\\n|extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), tostring(Hashes)) //Transform Hashes field into dynamics format\\r\\n|mv-apply todynamic(Hashes) on (summarize Hashes = make_bag(pack(tostring(Hashes[0]), tostring(Hashes[1])))) //Address inconsistency on hashes used on different agencies\\r\\n|extend IMPHASH_Hash = tostring(Hashes.IMPHASH) //Grab only Hash 256\\r\\n// Hashes parse section --END\\r\\n|summarize IOC=make_set(IMPHASH_Hash), OriginalFileName=make_set(OriginalFileName), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")) , OriginalFileName = tostring(strcat_array(OriginalFileName,\\\", \\\"))\\r\\n|project count_ ,OriginalFileName ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - 7 - IMPHASH_Hash - IMPHASH (Image Loaded)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 7 - IMPHASH_Hash - IMPHASH \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 15\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"TargetFilename\\\\\\\">\\\" TargetFilename \\\"\\\" * \\\"\\\\\\\"Hash\\\\\\\">\\\" Hashes \\\"\\\" * \\r\\n|summarize count() by TenantId, tostring(Hashes), tostring(TargetFilename) //Performance tweak\\r\\n|where Hashes has_any {SHA256_IOC}\\r\\n// Hashes parse section --START\\r\\n|extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), tostring(Hashes)) //Transform Hashes field into dynamics format\\r\\n|mv-apply todynamic(Hashes) on (summarize Hashes = make_bag(pack(tostring(Hashes[0]), tostring(Hashes[1])))) //Address inconsistency on hashes used on different agencies\\r\\n|extend SHA256_Hash = tostring(Hashes.SHA256) //Grab only Hash 256\\r\\n// Hashes parse section --END\\r\\n|summarize IOC=make_set(SHA256_Hash), TargetFilename=make_set(TargetFilename), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")) , TargetFilename = tostring(strcat_array(TargetFilename,\\\", \\\"))\\r\\n|project count_ ,TargetFilename ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - 15 - SHA256_Hash - SHA256 (FileCreateStreamHash)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 15 - SHA256_Hash - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n|where Source =~ \\\"Microsoft-Windows-sysmon\\\" //Workaround since Sentinel Workbooks encounter conflict with target workspace when the searches contains the word 'Sysm0n'\\r\\n|where EventID == 26\\r\\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription, TenantId\\r\\n|parse EventData with * \\\"\\\\\\\"TargetFilename\\\\\\\">\\\" TargetFilename \\\"\\\" * \\\"\\\\\\\"Hashes\\\\\\\">\\\" Hashes \\\"\\\" * \\r\\n|summarize count() by TenantId, tostring(Hashes), tostring(TargetFilename) //Performance tweak\\r\\n|where Hashes has_any {SHA256_IOC}\\r\\n// Hashes parse section --START\\r\\n|extend Hashes = extract_all(@\\\"(?P\\\\w+)=(?P[a-zA-Z0-9]+)\\\", dynamic([\\\"key\\\",\\\"value\\\"]), tostring(Hashes)) //Transform Hashes field into dynamics format\\r\\n|mv-apply todynamic(Hashes) on (summarize Hashes = make_bag(pack(tostring(Hashes[0]), tostring(Hashes[1])))) //Address inconsistency on hashes used on different agencies\\r\\n|extend SHA256_Hash = tostring(Hashes.SHA256) //Grab only Hash 256\\r\\n// Hashes parse section --END\\r\\n|summarize IOC=make_set(SHA256_Hash), TargetFilename=make_set(TargetFilename), count_=sum(count_) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")) , TargetFilename = tostring(strcat_array(TargetFilename,\\\", \\\"))\\r\\n|project count_ ,TargetFilename ,IOC\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"Sysmon - 26 - SHA256_Hash - SHA256 (FileDeleteDetected)\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"Sysmon - 26 - SHA256_Hash - SHA256\"},{\"type\":1,\"content\":{\"json\":\"## Microsoft Defender for Endpoint\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n|where InitiatingProcessSHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(InitiatingProcessSHA256), InitiatingProcessFileName=make_set(InitiatingProcessFileName),count_=count(InitiatingProcessSHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend InitiatingProcessFileName = tostring(strcat_array(InitiatingProcessFileName,\\\", \\\"))\\r\\n|project IOC,InitiatingProcessFileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceEvents - InitiatingProcessSHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"InitiatingProcessFileName\",\"label\":\"Process Name\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceEvents - InitiatingProcessSHA256 - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\r\\n|where SHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(SHA256), FileName=make_set(FileName), count_=count(SHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\r\\n|project IOC,FileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceEvents - SHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceEvents - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n|where InitiatingProcessSHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(InitiatingProcessSHA256),InitiatingProcessFileName=make_set(InitiatingProcessFileName), count_=count(InitiatingProcessSHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend InitiatingProcessFileName = tostring(strcat_array(InitiatingProcessFileName,\\\", \\\"))\\r\\n|project IOC,InitiatingProcessFileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceFileEvents - InitiatingProcessSHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"InitiatingProcessFileName\",\"label\":\"Process Name\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceFileEvents - InitiatingProcessSHA256 - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\r\\n|where SHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(SHA256), FileName=make_set(FileName),count_=count(SHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\r\\n|project IOC, FileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceFileEvents - SHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceFileEvents - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileCertificateInfo\\r\\n|where SHA1 has_any {SHA1_IOC}\\r\\n|summarize IOC=make_set(SHA1), Issuer = make_set(Issuer), count_=count(SHA1) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend Issuer = tostring(strcat_array(Issuer,\\\", \\\"))\\r\\n|project IOC, Issuer, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceFileCertificateInfo - SHA1\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceFileCertificateInfo - SHA1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailAttachmentInfo\\r\\n|where SHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(SHA256), FileName=make_set(FileName), count_=count(SHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\r\\n|project IOC,FileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - EmailAttachmentInfo - SHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - EmailAttachmentInfo - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceImageLoadEvents\\r\\n|where InitiatingProcessSHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(InitiatingProcessSHA256),InitiatingProcessFileName=make_set(InitiatingProcessFileName), count_=count(InitiatingProcessSHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend InitiatingProcessFileName = tostring(strcat_array(InitiatingProcessFileName,\\\", \\\"))\\r\\n|project IOC, InitiatingProcessFileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceImageLoadEvents - InitiatingProcessSHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"InitiatingProcessFileName\",\"label\":\"Process Name\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceImageLoadEvents - InitiatingProcessSHA256 - SHA256 \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceImageLoadEvents\\r\\n|where SHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(SHA256), FileName=make_set(FileName), count_=count(SHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\r\\n|project IOC, FileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceImageLoadEvents - SHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceImageLoadEvents - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceProcessEvents\\r\\n|where InitiatingProcessSHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(InitiatingProcessSHA256), InitiatingProcessFileName=make_set(InitiatingProcessFileName), count_=count(InitiatingProcessSHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend InitiatingProcessFileName = tostring(strcat_array(InitiatingProcessFileName,\\\", \\\"))\\r\\n|project IOC, InitiatingProcessFileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceProcessEvents - InitiatingProcessSHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"InitiatingProcessFileName\",\"label\":\"Process Name\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceProcessEvents- InitiatingProcessSHA256 - SHA256\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceProcessEvents\\r\\n|where SHA256 has_any {SHA256_IOC}\\r\\n|summarize IOC=make_set(SHA256),FileName=make_set(FileName), count_=count(SHA256) by TenantId\\r\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\r\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\r\\n|project IOC,FileName, count_\\r\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceProcessEvents - SHA256\",\"noDataMessage\":\"No IOC Found\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"80%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceProcessEvents - SHA256\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"filehash\"},\"name\":\"file-hash\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e40fc7ee-23fb-4339-8fa8-a7fe07592f79\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_IOC\",\"type\":1,\"description\":\"Put multiple URL in the following array format (\\\"url.com/main.php\\\", \\\"url2.com/menu.php\\\")\",\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\",\"multiLineHeight\":4},\"timeContext\":{\"durationMs\":86400000},\"value\":\"(\\\"emirjk.ru\\\",\\\"google.com\\\")\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"## Security Alert - URL\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\n|summarize arg_max(TimeGenerated,*) by SystemAlertId\\n| extend Entities = iff(isempty(Entities), todynamic('[{\\\"dummy\\\" : \\\"\\\"}]'), todynamic(Entities))\\n| mv-expand Entities\\n| evaluate bag_unpack(Entities, \\\"Entity_\\\")\\n| extend Entity_Type = columnifexists(\\\"Entity_Type\\\", \\\"\\\")\\n| extend Entity_Name = columnifexists(\\\"Entity_Name\\\", \\\"\\\")\\n| extend Entity_ResourceId = columnifexists(\\\"Entity_ResourceId\\\", \\\"\\\")\\n| extend Entity_Directory = columnifexists(\\\"Entity_Directory\\\", \\\"\\\")\\n| extend Entity_Value = columnifexists(\\\"Entity_Value\\\", \\\"\\\")\\n| extend Entity_HostName = columnifexists(\\\"Entity_HostName\\\", \\\"\\\")\\n| extend Entity_Address = columnifexists(\\\"Entity_Address\\\", \\\"\\\")\\n| extend Entity_ProcessId = columnifexists(\\\"Entity_ProcessId\\\", \\\"\\\")\\n| extend Entity_Url = columnifexists(\\\"Entity_Url\\\", \\\"\\\")\\n| extend Target = iif(Entity_Type == \\\"account\\\", Entity_Name, iif(Entity_Type == \\\"azure-resource\\\", Entity_ResourceId, iif(Entity_Type == \\\"cloud-application\\\", Entity_Name, iif(Entity_Type == \\\"dns\\\", Entity_Name, iif(Entity_Type == \\\"file\\\", strcat(Entity_Directory, \\\"\\\\\\\\\\\", Entity_Name), iif(Entity_Type == \\\"filehash\\\", Entity_Value, iif(Entity_Type == \\\"host\\\", Entity_HostName, iif(Entity_Type == \\\"ip\\\" , Entity_Address, iif(Entity_Type == \\\"malware\\\", Entity_HostName, iif(Entity_Type == \\\"network-connection\\\", Entity_Name, iif(Entity_Type == \\\"process\\\", Entity_ProcessId, iif(Entity_Type == \\\"registry-key\\\", Entity_Name, iif(Entity_Type == \\\"registry-value\\\", Entity_Name, iif(Entity_Type == \\\"security-group\\\", Entity_Name, iif(Entity_Type == \\\"url\\\", Entity_Url, \\\"NoTarget\\\")))))))))))))))\\n|where Entity_Type == \\\"url\\\"\\n|where Target has_any {URL_IOC}\\n|summarize IOC=make_set(Target), AlertName=make_set(AlertName),SystemAlertId=make_set(SystemAlertId) ,count_=count(Target) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend AlertName = tostring(strcat_array(AlertName,\\\", \\\")), SystemAlertId = tostring(strcat_array(SystemAlertId,\\\", \\\"))\\n|project AlertName, SystemAlertId, count_ ,IOC\\n|sort by count_ desc\",\"size\":1,\"title\":\"SecurityAlert - URL\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"name\":\"SecurityAlert - URL\"},{\"type\":1,\"content\":{\"json\":\"## CommonSecurityLog\"},\"name\":\"text - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\n|where TimeGenerated {TimeRange:query}\\n|where RequestURL has_any {URL_IOC}\\n|summarize IOC=make_set(RequestURL), count_=count(RequestURL) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|project count_ ,IOC\\n|sort by count_ desc\",\"size\":1,\"title\":\"CommonSecurityLog - RequestURL\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"## DNS\"},\"name\":\"text - 25\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DnsEvents\\n|where SubType == \\\"LookupQuery\\\"\\n|where TimeGenerated {TimeRange:query}\\n|where Name has_any {URL_IOC}\\n|summarize IOC=make_set(Name), count_=count(Name) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|project count_ ,IOC\\n|sort by count_ desc\",\"size\":1,\"title\":\"DNS - DnsEvents\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"DNS - DnsEvents\"},{\"type\":1,\"content\":{\"json\":\"## Office 365\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\n|where TimeGenerated {TimeRange:query}\\n|where OfficeObjectId has_any {URL_IOC}\\n|summarize IOC=make_set(OfficeObjectId),Type_=make_set(OfficeWorkload, 100000), count_=count(OfficeObjectId) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend Type_ = tostring(strcat_array(Type_,\\\", \\\"))\\n|project count_ ,IOC,Type_\\n|sort by count_ desc\",\"size\":1,\"title\":\"OfficeActivity - OfficeObjectId\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"OfficeActivity\\n|where TimeGenerated {TimeRange:query}\\n|where Site_Url has_any {URL_IOC}\\n|summarize IOC=make_set(Site_Url),Type_=make_set(OfficeWorkload, 100000), count_=count(Site_Url) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend Type_ = tostring(strcat_array(Type_,\\\", \\\"))\\n|project count_ ,IOC,Type_\\n|sort by count_ desc\",\"size\":1,\"title\":\"OfficeActivity - Site_Url\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"},{\"columnId\":\"Type_\",\"label\":\"Type\"}]}},\"customWidth\":\"50\",\"name\":\"OfficeActivity - Site_Url\"},{\"type\":1,\"content\":{\"json\":\"## Security Event\"},\"name\":\"text - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\n|where CommandLine has_any {URL_IOC}\\n|summarize IOC=make_set(CommandLine),EventID=make_set(EventID), count_=count(CommandLine) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend EventID = tostring(strcat_array(EventID,\\\", \\\"))\\n|project EventID, IOC, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"SecurityEvent - CommandLine\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"SecurityEvent - CommandLine\"},{\"type\":1,\"content\":{\"json\":\"## Microsoft Defender for Endpoint\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\n|where FileOriginUrl has_any {URL_IOC}\\n|summarize FileName=make_set(FileName), IOC=make_set(FileOriginUrl), count_=count(FileOriginUrl) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|project FileName, IOC, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceEvents - FileOriginUrl\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"FileName\",\"label\":\"File Name\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceEvents - FileOriginUrl\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceEvents\\n|where RemoteUrl has_any {URL_IOC}\\n|summarize InitiatingProcessFileName=make_set(InitiatingProcessFileName), IOC=make_set(RemoteUrl), count_=count(RemoteUrl) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")), InitiatingProcessFileName = tostring(strcat_array(InitiatingProcessFileName,\\\", \\\"))\\n|project InitiatingProcessFileName, IOC, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceEvents - RemoteUrl\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"InitiatingProcessFileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"15%\"}},{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"InitiatingProcessFileName\",\"label\":\"Initiating Process FileName\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceEvents - RemoteUrl-2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\n|where FileOriginUrl has_any {URL_IOC}\\n|summarize IOC=make_set(FileOriginUrl),FileName=make_set(FileName), count_=count(FileOriginUrl) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\n|project IOC, FileName, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceFileEvents - FileOriginUrl\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceFileEvents - FileOriginUrl\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileEvents\\n|where FileOriginReferrerUrl has_any {URL_IOC}\\n|summarize IOC=make_set(FileOriginReferrerUrl),FileName=make_set(FileName), count_=count(FileOriginReferrerUrl) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\n|project IOC, FileName, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceFileEvents - FileOriginReferrerUrl\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceFileEvents - FileOriginReferrerUrl\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceProcessEvents\\n|where InitiatingProcessCommandLine has_any {URL_IOC}\\n|summarize IOC=make_set(InitiatingProcessCommandLine),FileName=make_set(FileName), count_=count(InitiatingProcessCommandLine) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\n|project IOC, FileName, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceProcessEvents - InitiatingProcessCommandLine\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceProcessEvents - InitiatingProcessCommandLine\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceProcessEvents\\n|where ProcessCommandLine has_any {URL_IOC}\\n|summarize IOC=make_set(ProcessCommandLine),FileName=make_set(FileName), count_=count(ProcessCommandLine) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\n|project IOC, FileName, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceProcessEvents - ProcessCommandLine\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceProcessEvents - ProcessCommandLine\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceImageLoadEvents\\n|where InitiatingProcessCommandLine has_any {URL_IOC}\\n|summarize IOC=make_set(InitiatingProcessCommandLine),FileName=make_set(FileName), count_=count(InitiatingProcessCommandLine) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend FileName = tostring(strcat_array(FileName,\\\", \\\"))\\n|project IOC, FileName, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceImageLoadEvents - InitiatingProcessCommandLine\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceImageLoadEvents - InitiatingProcessCommandLine\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceRegistryEvents\\n|where RegistryValueData has_any {URL_IOC}\\n|summarize IOC=make_set(RegistryValueData),ActionType=make_set(ActionType), count_=count(RegistryValueData) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend ActionType = tostring(strcat_array(ActionType,\\\", \\\"))\\n|project IOC, ActionType, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceRegistryEvents - RegistryValueData\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"FileName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceRegistryEvents - RegistryValueData\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceFileCertificateInfo\\n|where CrlDistributionPointUrls has_any {URL_IOC}\\n|summarize IOC=make_set(CrlDistributionPointUrls), count_=count(CrlDistributionPointUrls) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|project IOC, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceFileCertificateInfo - CrlDistributionPointUrls\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceFileCertificateInfo - CrlDistributionPointUrls\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"DeviceNetworkEvents\\n|where RemoteUrl has_any {URL_IOC}\\n|summarize IOC=make_set(RemoteUrl), count_=count(RemoteUrl) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|project IOC, count_\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDE - DeviceNetworkEvents - RemoteUrl\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"40%\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"MSDE - DeviceNetworkEvents - RemoteUrl\"},{\"type\":1,\"content\":{\"json\":\"## Microsoft Defender for Office 365\"},\"name\":\"text - 18\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"crossComponentResources\":[\"{Workspace}\"],\"parameters\":[{\"id\":\"65985eea-0c6b-412a-bdda-29533e73c7b4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DeliveryAction\",\"label\":\"Delivery Action\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"jsonData\":\"[\\n { \\\"value\\\":\\\"Delivered\\\", \\\"label\\\":\\\"Delivered\\\"},\\n { \\\"value\\\":\\\"Blocked\\\", \\\"label\\\":\\\"Blocked\\\" },\\n { \\\"value\\\":\\\"Junked\\\", \\\"label\\\":\\\"Junked\\\"},\\n { \\\"value\\\":\\\"Unknown\\\", \\\"label\\\":\\\"Unknown\\\"}\\n]\",\"timeContext\":{\"durationMs\":14400000},\"defaultValue\":\"value::all\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"20\",\"name\":\"parameters - 24\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailUrlInfo\\n|where TimeGenerated {TimeRange:value}\\n|where Url has_any {URL_IOC}\\n|join kind=inner\\n(\\nEmailEvents\\n|where TimeGenerated {TimeRange:value}\\n| where DeliveryAction in ({DeliveryAction:value})\\n) on NetworkMessageId\\n|summarize IOC=make_set(Url), count_=count(Url), Recipient=make_set(RecipientEmailAddress) , Sender=make_set(SenderMailFromAddress), EmailSubject=make_set(Subject), DeliveryAction=make_set(DeliveryAction) ,FirstEvent= min(TimeGenerated), LastEvent=max(TimeGenerated) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")), Recipient = tostring(strcat_array(Recipient,\\\", \\\")), Sender = tostring(strcat_array(Sender,\\\", \\\")), EmailSubject = tostring(strcat_array(EmailSubject,\\\", \\\")), DeliveryAction = tostring(strcat_array(DeliveryAction,\\\", \\\"))\\n|project IOC, count_, FirstEvent, LastEvent, DeliveryAction ,Recipient, Sender, EmailSubject\\n|sort by count_ desc\",\"size\":0,\"title\":\"MSDO365 - EmailUrlInfo - Url\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"},{\"columnId\":\"DeliveryAction\",\"label\":\"Delivery Action\"},{\"columnId\":\"EmailSubject\",\"label\":\"Email Subject\"}]}},\"name\":\"MSDO365 - EmailUrlInfo - Url\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"UrlClickEvents\\n|where TimeGenerated {TimeRange:value}\\n|where Url has_any {URL_IOC}\\n|join kind=leftouter\\n(\\nEmailEvents\\n|where TimeGenerated {TimeRange:value}\\n) on NetworkMessageId\\n|summarize IOC=make_set(Url), count_=count(Url), ActionType=make_set(ActionType), Account=make_set(AccountUpn), FirstEvent= min(TimeGenerated), LastEvent=max(TimeGenerated) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")), ActionType = tostring(strcat_array(ActionType,\\\", \\\")), Account = tostring(strcat_array(Account,\\\", \\\"))\\n|project IOC, count_, ActionType, Account, FirstEvent, LastEvent\\n|sort by count_ desc\",\"size\":1,\"title\":\"MSDO365 - UrlClickEvents - Url\",\"noDataMessageStyle\":3,\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"name\":\"MSDO365 - UrlClickEvents - Url\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"url\"},\"name\":\"url\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"loadType\":\"always\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a66098f8-6aa0-4439-9c84-e7be5831649a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"EMAIL_IOC\",\"label\":\"Email Address\",\"type\":1,\"description\":\"Recommend to only add 1 email IOC for deeper analysis\",\"isRequired\":true,\"typeSettings\":{\"multiLineText\":true,\"editorLanguage\":\"text\",\"multiLineHeight\":2},\"timeContext\":{\"durationMs\":86400000},\"value\":\"(\\\"sample@google.com\\\")\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":1,\"content\":{\"json\":\"## Overview of General Information on Email Deliverability\"},\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\n| where SenderMailFromAddress has_any {EMAIL_IOC} or SenderFromAddress has_any {EMAIL_IOC} //Must use both P1 P2 column names\\n| where EmailDirection == \\\"Inbound\\\"\\n| summarize count() by DeliveryAction\",\"size\":0,\"title\":\"Email Inbound Deliverability in the {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"group\":\"DeliveryAction\",\"createOtherGroup\":null,\"seriesLabelSettings\":[{\"seriesName\":\"Blocked\",\"color\":\"green\"},{\"seriesName\":\"Delivered\",\"color\":\"redBright\"},{\"seriesName\":\"Junked\",\"color\":\"orange\"},{\"color\":\"gray\"}]}},\"customWidth\":\"20\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\n| where SenderMailFromAddress has_any {EMAIL_IOC} or SenderFromAddress has_any {EMAIL_IOC} //Must use both P1 P2 column names\\n| where EmailDirection == \\\"Inbound\\\"\\n| where DeliveryAction == \\\"Delivered\\\"\\n| summarize count() by DeliveryLocation\",\"size\":0,\"title\":\"Email inbound deliverability by Location in the {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"piechart\",\"chartSettings\":{\"seriesLabelSettings\":[{\"seriesName\":\"Blocked\",\"color\":\"green\"},{\"seriesName\":\"Delivered\",\"color\":\"redBright\"}]}},\"customWidth\":\"20\",\"name\":\"query - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\n| where TimeGenerated {TimeRange:value}\\n| where SenderMailFromAddress has_any {EMAIL_IOC} or SenderFromAddress has_any {EMAIL_IOC} //Must use both P1 P2 column names\\n| where EmailDirection == \\\"Inbound\\\"\\n| where DeliveryAction == \\\"Delivered\\\"\\n| project NetworkMessageId, DeliveryAction, DeliveryLocation, SenderFromAddress, SenderMailFromAddress, RecipientEmailAddress, Subject, SenderIPv4, EmailDirection, TenantId\\n| join kind=leftouter \\n( \\nEmailPostDeliveryEvents\\n| where TimeGenerated {TimeRange:value}\\n| summarize arg_max(TimeGenerated,*) by NetworkMessageId\\n| extend \\n DeliveryLocation_Post = DeliveryLocation, //Differentiate with original location\\n TenantId_Post = TenantId //Differentiate with original location\\n) on NetworkMessageId, RecipientEmailAddress\\n| extend \\n Action = iff(isempty(Action), \\\"No Action\\\", Action),\\n ActionResult = iff(isempty(ActionResult), \\\"No Result\\\",ActionResult),\\n ActionTrigger = iff(isempty(ActionTrigger), \\\"No Trigger\\\",ActionTrigger),\\n ActionType = iff(isempty(ActionType), \\\"No Action\\\",ActionType),\\n final_DeliveryLocation = iff(isempty(DeliveryLocation_Post), \\n iff(ActionType contains \\\"ZAP\\\", ActionType, DeliveryLocation),\\n DeliveryLocation_Post) //Find a final location of the email\\n| evaluate pivot(final_DeliveryLocation,count(RecipientEmailAddress),DeliveryLocation)\",\"size\":0,\"title\":\"Original Email Location vs. Final Email Location in the {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Phish ZAP\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Blank\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Delete\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"success\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Blank\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Inbox/folder\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"3\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Blank\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Junk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\">=\",\"representation\":\"2\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":\"Blank\",\"text\":\"{0}{1}\"}]}}],\"labelSettings\":[{\"columnId\":\"DeliveryLocation\",\"label\":\"Original Location\"}]}},\"customWidth\":\"30\",\"name\":\"query - 12\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\n| where TimeGenerated {TimeRange:value}\\n| where SenderMailFromAddress has_any {EMAIL_IOC} or SenderFromAddress has_any {EMAIL_IOC} //Must use both P1 P2 column names\\n| where EmailDirection == \\\"Inbound\\\"\\n| where DeliveryAction == \\\"Delivered\\\"\\n| project NetworkMessageId, DeliveryAction, DeliveryLocation, SenderFromAddress, SenderMailFromAddress, RecipientEmailAddress, Subject, SenderIPv4, EmailDirection, TenantId\\n| join kind=leftouter \\n( \\nEmailPostDeliveryEvents\\n| where TimeGenerated {TimeRange:value}\\n| summarize arg_max(TimeGenerated,*) by NetworkMessageId\\n| extend \\n DeliveryLocation_Post = DeliveryLocation, //Differentiate with original location\\n TenantId_Post = TenantId //Differentiate with original location\\n) on NetworkMessageId, RecipientEmailAddress\\n| extend \\n Action = iff(isempty(Action), \\\"No Action\\\", Action),\\n ActionResult = iff(isempty(ActionResult), \\\"No Result\\\",ActionResult),\\n ActionTrigger = iff(isempty(ActionTrigger), \\\"No Trigger\\\",ActionTrigger),\\n ActionType = iff(isempty(ActionType), \\\"No Action\\\",ActionType),\\n final_DeliveryLocation = iff(isempty(DeliveryLocation_Post), \\n iff(ActionType contains \\\"ZAP\\\", ActionType, DeliveryLocation),\\n DeliveryLocation_Post) //Find a final location of the email\\n| evaluate pivot(final_DeliveryLocation,count(RecipientEmailAddress),TenantId)\",\"size\":0,\"title\":\"Email final location by Agency in the {TimeRange:label}\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Phish ZAP\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Delete\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"green\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Inbox/folder\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"representation\":null,\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Junk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"1\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":null,\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"30\",\"name\":\"query - 13\"},{\"type\":1,\"content\":{\"json\":\"## Security Alert - mailMessage\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityAlert\\n|summarize arg_max(TimeGenerated,*) by SystemAlertId\\n| extend Entities = iff(isempty(Entities), todynamic('[{\\\"dummy\\\" : \\\"\\\"}]'), todynamic(Entities))\\n| mv-expand Entities\\n| evaluate bag_unpack(Entities, \\\"Entity_\\\")\\n| extend Entity_Type = columnifexists(\\\"Entity_Type\\\", \\\"\\\")\\n| extend Entity_Name = columnifexists(\\\"Entity_Name\\\", \\\"\\\")\\n| extend Entity_ResourceId = columnifexists(\\\"Entity_ResourceId\\\", \\\"\\\")\\n| extend Entity_Directory = columnifexists(\\\"Entity_Directory\\\", \\\"\\\")\\n| extend Entity_Value = columnifexists(\\\"Entity_Value\\\", \\\"\\\")\\n| extend Entity_HostName = columnifexists(\\\"Entity_HostName\\\", \\\"\\\")\\n| extend Entity_Address = columnifexists(\\\"Entity_Address\\\", \\\"\\\")\\n| extend Entity_ProcessId = columnifexists(\\\"Entity_ProcessId\\\", \\\"\\\")\\n| extend Entity_Url = columnifexists(\\\"Entity_Url\\\", \\\"\\\")\\n| extend Entity_Sender = columnifexists(\\\"Entity_Sender\\\", \\\"\\\")\\n| extend Target = iif(Entity_Type == \\\"account\\\", Entity_Name, iif(Entity_Type == \\\"azure-resource\\\", Entity_ResourceId, iif(Entity_Type == \\\"cloud-application\\\", Entity_Name, iif(Entity_Type == \\\"dns\\\", Entity_Name, iif(Entity_Type == \\\"file\\\", strcat(Entity_Directory, \\\"\\\\\\\\\\\", Entity_Name), iif(Entity_Type == \\\"filehash\\\", Entity_Value, iif(Entity_Type == \\\"host\\\", Entity_HostName, iif(Entity_Type == \\\"ip\\\" , Entity_Address, iif(Entity_Type == \\\"malware\\\", Entity_HostName, iif(Entity_Type == \\\"network-connection\\\", Entity_Name, iif(Entity_Type == \\\"process\\\", Entity_ProcessId, iif(Entity_Type == \\\"registry-key\\\", Entity_Name, iif(Entity_Type == \\\"registry-value\\\", Entity_Name, iif(Entity_Type == \\\"mailMessage\\\", Entity_Sender, iif(Entity_Type == \\\"security-group\\\", Entity_Name, iif(Entity_Type == \\\"url\\\", Entity_Url, \\\"NoTarget\\\"))))))))))))))))\\n|where Entity_Type == \\\"mailMessage\\\"\\n|where Target has_any {EMAIL_IOC}\\n|summarize IOC=make_set(Target), AlertName=make_set(AlertName),SystemAlertId=make_set(SystemAlertId) ,count_=count(Target), LatestTimestamp=max(TimeGenerated) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\"))\\n|extend AlertName = tostring(strcat_array(AlertName,\\\", \\\")), SystemAlertId = tostring(strcat_array(SystemAlertId,\\\", \\\"))\\n|project AlertName, SystemAlertId, LatestTimestamp, count_ ,IOC\\n|sort by LatestTimestamp desc\",\"size\":1,\"title\":\"Security Alert - mailMessage - Entity_Sender\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"AlertName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}},{\"columnMatch\":\"IOC\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"25%\"}}],\"sortBy\":[{\"itemKey\":\"LatestTimestamp\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"LatestTimestamp\",\"label\":\"Latest Timestamp\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]},\"sortBy\":[{\"itemKey\":\"LatestTimestamp\",\"sortOrder\":2}]},\"name\":\"Security Alert - mailMessage - Entity_Sender\"},{\"type\":1,\"content\":{\"json\":\"## Microsoft Defender for Office 365\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let time_step = {TimeRange:grain};\\nEmailEvents\\n| where SenderMailFromAddress has_any {EMAIL_IOC} or SenderFromAddress has_any {EMAIL_IOC} //Must use both P1 P2 column names\\n| extend IOC = SenderMailFromAddress\\n| make-series Email_Trend = count() default=0 on TimeGenerated in range({TimeRange:start}+time_step,{TimeRange:end}-time_step,time_step) by IOC\",\"size\":1,\"title\":\"EmailEvents - SenderMailFromAddress - Cross-sector overview\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"name\":\"EmailEvents - SenderMailFromAddress\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\n| where TimeGenerated {TimeRange:value}\\n| where SenderMailFromAddress has_any {EMAIL_IOC} or SenderFromAddress has_any {EMAIL_IOC} //Must use both P1 P2 column names\\n| join kind=leftouter \\n( \\nEmailPostDeliveryEvents\\n| where TimeGenerated {TimeRange:value}\\n| summarize arg_max(TimeGenerated,*) by NetworkMessageId\\n| extend \\n DeliveryLocation_Post = DeliveryLocation, //Differentiate with original location\\n TenantId_Post = TenantId\\n) on NetworkMessageId, RecipientEmailAddress\\n| extend \\n Action = iff(isempty(Action), \\\"No Action\\\", Action),\\n ActionResult = iff(isempty(ActionResult), \\\"No Result\\\",ActionResult),\\n ActionTrigger = iff(isempty(ActionTrigger), \\\"No Trigger\\\",ActionTrigger),\\n ActionType = iff(isempty(ActionType), \\\"No Action\\\",ActionType),\\n final_DeliveryLocation = iff(isempty(DeliveryLocation_Post), DeliveryLocation,DeliveryLocation_Post) //Find a final location of the email\\n| summarize IOC=make_set(SenderMailFromAddress), count_=count(SenderMailFromAddress) ,Recipient=make_set(RecipientEmailAddress), EmailSubject=make_set(Subject), DeliveryAction=make_set(DeliveryAction) ,FirstEvent= min(TimeGenerated), LastEvent=max(TimeGenerated) , final_DeliveryLocation=make_set(final_DeliveryLocation) by TenantId\\n| extend IOC = tostring(strcat_array(IOC,\\\", \\\")), Recipient = tostring(strcat_array(Recipient,\\\", \\\")), EmailSubject = tostring(strcat_array(EmailSubject,\\\", \\\")), DeliveryAction = tostring(strcat_array(DeliveryAction,\\\", \\\")), final_DeliveryLocation = tostring(strcat_array(final_DeliveryLocation,\\\", \\\"))\\n| project FirstEvent, LastEvent, IOC, count_, Recipient, EmailSubject, DeliveryAction, final_DeliveryLocation\\n| sort by count_ desc\",\"size\":0,\"title\":\"EmailEvents - SenderMailFromAddress + EmailPostDeliveryAction\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Recipient\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"EmailSubject\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"FirstEvent\",\"label\":\"First Event\"},{\"columnId\":\"LastEvent\",\"label\":\"Last Event\"},{\"columnId\":\"count_\",\"label\":\"Count\"},{\"columnId\":\"EmailSubject\",\"label\":\"Email Subject\"},{\"columnId\":\"DeliveryAction\",\"label\":\"Delivery Action\"},{\"columnId\":\"final_DeliveryLocation\",\"label\":\"Final Delivery Location\"}]}},\"name\":\"EmailEvents - SenderMailFromAddress\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\n| where TimeGenerated {TimeRange:value}\\n| where SenderMailFromAddress has_any {EMAIL_IOC} or SenderFromAddress has_any {EMAIL_IOC} //Must use both P1 P2 column names\\n| project TimeGenerated, DeliveryAction, DeliveryLocation, SenderMailFromAddress, RecipientEmailAddress, Subject, NetworkMessageId\\n| join kind=inner \\n(\\nUrlClickEvents\\n| where TimeGenerated {TimeRange:value}\\n) on NetworkMessageId\\n| summarize IOC=make_set(SenderMailFromAddress) ,count_=count(SenderMailFromAddress), Recipient=make_set(RecipientEmailAddress), EmailSubject=make_set(Subject), DeliveryAction=make_set(DeliveryAction), DeliveryLocation=make_set(DeliveryLocation) , UserClick = make_set(AccountUpn) ,FirstEvent= min(TimeGenerated), LastEvent=max(TimeGenerated), Url=make_set(Url) by TenantId\\n| extend IOC = tostring(strcat_array(IOC,\\\", \\\")), Recipient = tostring(strcat_array(Recipient,\\\", \\\")), EmailSubject = tostring(strcat_array(EmailSubject,\\\", \\\")), DeliveryAction = tostring(strcat_array(DeliveryAction,\\\", \\\")), DeliveryLocation = tostring(strcat_array(DeliveryLocation,\\\", \\\")), Url = tostring(strcat_array(Url,\\\", \\\")), UserClick = tostring(strcat_array(UserClick,\\\", \\\"))\\n|project FirstEvent, LastEvent, IOC, count_, Recipient, UserClick, EmailSubject, DeliveryAction, DeliveryLocation, Url\\n|sort by count_ desc\\n\",\"size\":0,\"title\":\"UrlClickEvents - Click Events from email sent by Sender\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"UserClick\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}}],\"labelSettings\":[{\"columnId\":\"IOC\",\"label\":\"IOC (Email Sender)\"},{\"columnId\":\"count_\",\"label\":\"Count\"},{\"columnId\":\"UserClick\",\"label\":\"User Clicking the Link\"}]},\"sortBy\":[]},\"name\":\"UrlClickEvents - NetworkMessageId\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let time_step = {TimeRange:grain};\\nEmailEvents\\n| where SenderMailFromAddress has_any {EMAIL_IOC} or SenderFromAddress has_any {EMAIL_IOC} //Must use both P1 P2 column names\\n| extend IOC = RecipientEmailAddress\\n| make-series Email_Trend = count() default=0 on TimeGenerated in range({TimeRange:start}+time_step,{TimeRange:end}-time_step,time_step) by IOC\",\"size\":1,\"title\":\"EmailEvents - RecipientEmailAddress - Outbound email interaction with IOCS - Cross-sector overview\",\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"visualization\":\"timechart\"},\"name\":\"EmailEvents - RecipientEmailAddress\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"EmailEvents\\n|where RecipientEmailAddress has_any {EMAIL_IOC}\\n|summarize IOC=make_set(RecipientEmailAddress), count_=count(RecipientEmailAddress) ,Sender=make_set(SenderMailFromAddress) ,Recipient=make_set(RecipientEmailAddress), EmailSubject=make_set(Subject), DeliveryAction=make_set(DeliveryAction) ,FirstEvent= min(TimeGenerated), LastEvent=max(TimeGenerated) by TenantId\\n|extend IOC = tostring(strcat_array(IOC,\\\", \\\")),Sender = tostring(strcat_array(Sender,\\\", \\\")), Recipient = tostring(strcat_array(Recipient,\\\", \\\")), EmailSubject = tostring(strcat_array(EmailSubject,\\\", \\\")), DeliveryAction = tostring(strcat_array(DeliveryAction,\\\", \\\"))\\n|project FirstEvent, LastEvent, IOC, count_, Sender, Recipient, EmailSubject, DeliveryAction\\n|sort by count_ desc\",\"size\":0,\"title\":\"EmailEvents - RecipientEmailAddress - User outbound email interaction with IOCs\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"name\":\"EmailEvents - RecipientEmailAddress\"}]},\"conditionalVisibility\":{\"parameterName\":\"Tab\",\"comparison\":\"isEqualTo\",\"value\":\"email_external\"},\"name\":\"email_external\"}],\"isLocked\":false,\"fallbackResourceIds\":[],\"fromTemplateId\":\"sentinel-UserWorkbook\"}", + "version": "1.0", + "sourceId": "[variables('workbookSourceId')]", + "category": "[parameters('workbookType')]" + } + } + ], + "outputs": { + "workbookId": { + "type": "string", + "value": "[resourceId( 'microsoft.insights/workbooks', parameters('workbookId'))]" + } + }, + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#" +} \ No newline at end of file