Repackaging Security Threat Essential Solution

Azure · Jul 6, 2023 · 35b95a2 · 35b95a2
1 parent ce84fbc
commit 35b95a2
Show file tree

Hide file tree

Showing 5 changed files with 214 additions and 259 deletions.
diff --git a/...SecurityThreatEssentialSolution/Analytic Rules/PossibleAiTMPhishingAttemptAgainstAAD.yaml b/...SecurityThreatEssentialSolution/Analytic Rules/PossibleAiTMPhishingAttemptAgainstAAD.yaml
@@ -42,7 +42,7 @@ query: |
   | where TimeDelta <= time_threshold
   | extend NetworkEventStartTime = EventStartTime, NetworkEventEndTime = EventEndTime
   | extend SrcUsername = column_ifexists("SrcUsername", "Unknown")
-  | project-reorder SignInTime, UserPrincipalName, IPAddress, AppDisplayName, ClientAppUsed, DeviceDetail, LocationDetails, NetworkLocationDetails, RiskEventTypes, UserAgent, NetworkEventStartTime, NetworkEventEndTime, SrcIpAddr, DstIpAddr, DstPortNumber, Dst, DvcHostname, SrcBytes, NetworkProtocol, SrcUsername
+  | project-reorder SignInTime, UserPrincipalName, IPAddress, AppDisplayName, ClientAppUsed, DeviceDetail, LocationDetails, NetworkLocationDetails, RiskEventTypes, UserAgent, NetworkEventStartTime, NetworkEventEndTime, SrcIpAddr, DstIpAddr, DstPortNumber, Dvc, DvcHostname, SrcBytes, NetworkProtocol, SrcUsername
 entityMappings:
   - entityType: Account
     fieldMappings:
@@ -61,5 +61,5 @@ alertDetailsOverride:
     This detection looks for successful Azure AD sign ins (in this case from {{UserPrincipalName}}) that had a high risk profile, indicating it had suspicious characteristics such as an unusual location, ISP, user agent, or use of anonymizer services.
     It then looks for a network connection to the IP address (in this case {{IPAddress}}) that made the sign in immediately before the sign in, that may indicate a user connecting to a phishing site at that IP address and having their authentication session hijacked.
     Ref: https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/SecurityThreatEssentialSolution/Data/Solution_SecurityThreatEssentialSolution.json b/Solutions/SecurityThreatEssentialSolution/Data/Solution_SecurityThreatEssentialSolution.json
@@ -8,7 +8,7 @@
 	"Hunting Queries/Signins-From-VPS-Providers.yaml"    
   ],
    "Analytic Rules": [
-    "Analytic Rules/Threat_Essentials_Mail_redirect_via_ExO_transport_rule.yaml",
+   "Analytic Rules/Threat_Essentials_Mail_redirect_via_ExO_transport_rule.yaml",
 	"Analytic Rules/Threat_Essentials_MultipleAdmin_membership_removals_from_NewAdmin.yaml",
 	"Analytic Rules/Threat_Essentials_NRT_UseraddedtoPrivilgedGroups.yaml",
 	"Analytic Rules/Threat_Essentials_TimeSeriesAnomaly_Mass_Cloud_Resource_Deletions.yaml",
@@ -17,7 +17,7 @@
 	"Analytic Rules/PossibleAiTMPhishingAttemptAgainstAAD.yaml"	
   ],
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\SecurityThreatEssentialSolution",
-  "Version": "2.0.4",
+  "Version": "3.0.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true

diff --git a/Solutions/SecurityThreatEssentialSolution/Package/3.0.0.zip b/Solutions/SecurityThreatEssentialSolution/Package/3.0.0.zip
diff --git a/Solutions/SecurityThreatEssentialSolution/Package/createUiDefinition.json b/Solutions/SecurityThreatEssentialSolution/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution published by Microsoft is based on the continuous evaluation of threat campaigns and provides out-of-the-box security content that helps you to enhance your security posture.\r\nThis solution leverages the following tables:\r \n • AuditLogs \r \n • AzureActivity \r \n • CommonSecurityLog \r \n • OfficeActivity \r \n • SigninLogs \r \n • VMConnection\r\n\n\n**Analytic Rules:** 7, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis solution published by Microsoft is based on the continuous evaluation of threat campaigns and provides out-of-the-box security content that helps you to enhance your security posture.\r\nThis solution leverages the following tables:\r\n• AuditLogs\r\n• AzureActivity\r\n• CommonSecurityLog\r\n• OfficeActivity\r\n• SigninLogs\r\n• VMConnection\r\n\n\n**Analytic Rules:** 7, **Hunting Queries:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",