diff --git a/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml b/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml index 6d8efc1c266..755dea2bc9c 100644 --- a/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml +++ b/Solutions/Windows Security Events/Analytic Rules/NonDCActiveDirectoryReplication.yaml @@ -20,7 +20,7 @@ status: Available tactics: - CredentialAccess relevantTechniques: - - T1003 + - T1003.006 query: | // Enter a reference list of hostnames for your DC servers //let DCServersList = dynamic (["DC01.simulandlabs.com","DC02.simulandlabs.com"]); @@ -44,7 +44,7 @@ query: | | project-reorder TimeGenerated, Computer, Account, IpAddress | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.')) | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer) - | extend AccountName = tostring(split(Account, "\\")[0]), AccountNTDomain = tostring(split(Account, "\\")[1]) + | extend AccountNTDomain = tostring(split(Account, "\\")[0]), AccountName = tostring(split(Account, "\\")[1]) entityMappings: - entityType: Account @@ -67,5 +67,5 @@ entityMappings: fieldMappings: - identifier: Address columnName: IpAddress -version: 1.0.4 +version: 1.0.5 kind: Scheduled diff --git a/Solutions/Windows Security Events/Data/Solution_Windows Security Events.json b/Solutions/Windows Security Events/Data/Solution_Windows Security Events.json index 2470d456a13..ab1cd997d66 100644 --- a/Solutions/Windows Security Events/Data/Solution_Windows Security Events.json +++ b/Solutions/Windows Security Events/Data/Solution_Windows Security Events.json @@ -87,7 +87,7 @@ ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Windows Security Events\\", - "Version": "3.0.9", + "Version": "3.0.10", "TemplateSpec": true, "StaticDataConnectorIds": [ "SecurityEvents", diff --git a/Solutions/Windows Security Events/Package/3.0.10.zip b/Solutions/Windows Security Events/Package/3.0.10.zip new file mode 100644 index 00000000000..3fba10b9a3b Binary files /dev/null and b/Solutions/Windows Security Events/Package/3.0.10.zip differ diff --git a/Solutions/Windows Security Events/Package/createUiDefinition.json b/Solutions/Windows Security Events/Package/createUiDefinition.json index 4f6ce63083c..dd2b677ae90 100644 --- a/Solutions/Windows Security Events/Package/createUiDefinition.json +++ b/Solutions/Windows Security Events/Package/createUiDefinition.json @@ -982,7 +982,7 @@ { "name": "huntingquery38", "type": "Microsoft.Common.Section", - "label": "User Account added to Built in Domain Local or Global Group", + "label": "User Account added to Built in Sensitive or Privileged Domain Local or Global Group", "elements": [ { "name": "huntingquery38-text", diff --git a/Solutions/Windows Security Events/Package/mainTemplate.json b/Solutions/Windows Security Events/Package/mainTemplate.json index ca7b57b95fb..73b55fb953a 100644 --- a/Solutions/Windows Security Events/Package/mainTemplate.json +++ b/Solutions/Windows Security Events/Package/mainTemplate.json @@ -49,7 +49,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Windows Security Events", - "_solutionVersion": "3.0.9", + "_solutionVersion": "3.0.10", "solutionId": "azuresentinel.azure-sentinel-solution-securityevents", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "SecurityEvents", @@ -134,11 +134,11 @@ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','05b4bccd-dd12-423d-8de4-5a6fb526bb4f','-', '1.0.2')))]" }, "analyticRuleObject10": { - "analyticRuleVersion10": "1.0.4", + "analyticRuleVersion10": "1.0.5", "_analyticRulecontentId10": "b9d2eebc-5dcb-4888-8165-900db44443ab", "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 'b9d2eebc-5dcb-4888-8165-900db44443ab')]", "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('b9d2eebc-5dcb-4888-8165-900db44443ab')))]", - "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b9d2eebc-5dcb-4888-8165-900db44443ab','-', '1.0.4')))]" + "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','b9d2eebc-5dcb-4888-8165-900db44443ab','-', '1.0.5')))]" }, "analyticRuleObject11": { "analyticRuleVersion11": "1.0.2", @@ -485,7 +485,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Windows Security Events data connector with template version 3.0.9", + "description": "Windows Security Events data connector with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -640,7 +640,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Windows Security Events data connector with template version 3.0.9", + "description": "Windows Security Events data connector with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -795,7 +795,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSDBNamedPipeConnection_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ADFSDBNamedPipeConnection_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -846,16 +846,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserName" + "columnName": "UserName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -863,16 +863,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -930,7 +930,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSRemoteAuthSyncConnection_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ADFSRemoteAuthSyncConnection_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -981,16 +981,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "ClaimsName" + "columnName": "ClaimsName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -998,16 +998,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] }, @@ -1015,8 +1015,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceAddress" + "columnName": "SourceAddress", + "identifier": "Address" } ] } @@ -1074,7 +1074,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADFSRemoteHTTPNetworkConnection_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ADFSRemoteHTTPNetworkConnection_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -1125,16 +1125,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "UserName" + "columnName": "UserName", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -1142,16 +1142,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] }, @@ -1159,8 +1159,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "SourceIp" + "columnName": "SourceIp", + "identifier": "Address" } ] } @@ -1218,7 +1218,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveLogonFailures_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ExcessiveLogonFailures_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -1269,16 +1269,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ] }, @@ -1286,16 +1286,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "WorkstationName" + "columnName": "WorkstationName", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ] }, @@ -1303,8 +1303,8 @@ "entityType": "Process", "fieldMappings": [ { - "identifier": "CommandLine", - "columnName": "Process" + "columnName": "Process", + "identifier": "CommandLine" } ] } @@ -1362,7 +1362,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -1413,16 +1413,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -1430,16 +1430,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -1497,7 +1497,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GainCodeExecutionADFSViaSMB_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "GainCodeExecutionADFSViaSMB_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -1548,16 +1548,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -1565,16 +1565,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -1632,7 +1632,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "LocalDeviceJoinInfoAndTransportKeyRegKeysAccess_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "LocalDeviceJoinInfoAndTransportKeyRegKeysAccess_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -1683,16 +1683,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "SubjectUserName" + "columnName": "SubjectUserName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "SubjectDomainName" + "columnName": "SubjectDomainName", + "identifier": "NTDomain" } ] }, @@ -1700,16 +1700,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ] } @@ -1767,7 +1767,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleFailedFollowedBySuccess_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "MultipleFailedFollowedBySuccess_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1818,16 +1818,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ] }, @@ -1835,16 +1835,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ] }, @@ -1852,8 +1852,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpAddress" + "columnName": "IpAddress", + "identifier": "Address" } ] } @@ -1911,7 +1911,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "NewEXEdeployedviaDefaultDomainorDefaultDomainControllerPolicies_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", @@ -1964,16 +1964,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -2031,7 +2031,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NonDCActiveDirectoryReplication_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "NonDCActiveDirectoryReplication_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject10').analyticRuleVersion10]", @@ -2048,7 +2048,7 @@ "description": "This query detects potential attempts by non-computer accounts (non domain controllers) to retrieve/synchronize an active directory object leveraging directory replication services (DRS).\nA Domain Controller (computer account) would usually be performing these actions in a domain environment. Another detection rule can be created to cover domain controllers accounts doing at rare times.\nA domain user with privileged permissions to use directory replication services is rare.", "displayName": "Non Domain Controller Active Directory Replication", "enabled": false, - "query": "// Enter a reference list of hostnames for your DC servers\n//let DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\nSecurityEvent\n//| where Computer in (DCServersList)\n| where EventID == 4662 and ObjectServer == 'DS'\n| where AccountType != 'Machine'\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes\n or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All\n or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\n| join kind=leftouter\n(\n SecurityEvent\n //| where Computer in (DCServersList)\n | where EventID == 4624 and LogonType == 3\n | where AccountType != 'Machine'\n | project TargetLogonId, IpAddress\n)\non $left.SubjectLogonId == $right.TargetLogonId\n| project-reorder TimeGenerated, Computer, Account, IpAddress\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountName = tostring(split(Account, \"\\\\\")[0]), AccountNTDomain = tostring(split(Account, \"\\\\\")[1])\n", + "query": "// Enter a reference list of hostnames for your DC servers\n//let DCServersList = dynamic ([\"DC01.simulandlabs.com\",\"DC02.simulandlabs.com\"]);\nSecurityEvent\n//| where Computer in (DCServersList)\n| where EventID == 4662 and ObjectServer == 'DS'\n| where AccountType != 'Machine'\n| where Properties has '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes\n or Properties has '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' //DS-Replication-Get-Changes-All\n or Properties has '89e95b76-444d-4c62-991a-0facbeda640c' //DS-Replication-Get-Changes-In-Filtered-Set\n| project TimeGenerated, Account, Activity, Properties, SubjectLogonId, Computer\n| join kind=leftouter\n(\n SecurityEvent\n //| where Computer in (DCServersList)\n | where EventID == 4624 and LogonType == 3\n | where AccountType != 'Machine'\n | project TargetLogonId, IpAddress\n)\non $left.SubjectLogonId == $right.TargetLogonId\n| project-reorder TimeGenerated, Computer, Account, IpAddress\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend AccountNTDomain = tostring(split(Account, \"\\\\\")[0]), AccountName = tostring(split(Account, \"\\\\\")[1])\n", "queryFrequency": "P1D", "queryPeriod": "P7D", "severity": "High", @@ -2074,6 +2074,9 @@ "tactics": [ "CredentialAccess" ], + "subTechniques": [ + "T1003.006" + ], "techniques": [ "T1003" ], @@ -2082,16 +2085,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -2099,16 +2102,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "NTDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "NTDomain" } ] }, @@ -2116,8 +2119,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpAddress" + "columnName": "IpAddress", + "identifier": "Address" } ] } @@ -2175,7 +2178,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "NRT_base64_encoded_pefile_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject11').analyticRuleVersion11]", @@ -2225,16 +2228,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "SubjectAccount" + "columnName": "SubjectAccount", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "SubjectUserName" + "columnName": "SubjectUserName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "SubjectDomainName" + "columnName": "SubjectDomainName", + "identifier": "NTDomain" } ] }, @@ -2242,16 +2245,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ] } @@ -2309,7 +2312,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "NRT_execute_base64_decodedpayload_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject12').analyticRuleVersion12]", @@ -2359,16 +2362,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "SubjectAccount" + "columnName": "SubjectAccount", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -2376,16 +2379,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -2443,7 +2446,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NRT_SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "NRT_SecurityEventLogCleared_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject13').analyticRuleVersion13]", @@ -2490,16 +2493,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -2507,16 +2510,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -2574,7 +2577,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "password_not_set_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "password_not_set_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject14').analyticRuleVersion14]", @@ -2625,16 +2628,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetAccount" + "columnName": "TargetAccount", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -2642,8 +2645,8 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "Sid", - "columnName": "TargetSid" + "columnName": "TargetSid", + "identifier": "Sid" } ] }, @@ -2651,16 +2654,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -2718,7 +2721,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialFodhelperUACBypass_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "PotentialFodhelperUACBypass_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject15').analyticRuleVersion15]", @@ -2772,16 +2775,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] }, @@ -2789,16 +2792,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetAccount" + "columnName": "TargetAccount", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] } @@ -2856,7 +2859,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Potentialre-namedsdeleteusage_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "Potentialre-namedsdeleteusage_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject16').analyticRuleVersion16]", @@ -2909,16 +2912,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetAccount" + "columnName": "TargetAccount", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -2926,16 +2929,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -2993,7 +2996,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ScheduleTaskHide_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "ScheduleTaskHide_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject17').analyticRuleVersion17]", @@ -3044,16 +3047,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetAccount" + "columnName": "TargetAccount", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -3061,16 +3064,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -3128,7 +3131,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SdeletedeployedviaGPOandrunrecursively_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "SdeletedeployedviaGPOandrunrecursively_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject18').analyticRuleVersion18]", @@ -3179,16 +3182,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetAccount" + "columnName": "TargetAccount", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -3196,16 +3199,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] } @@ -3263,7 +3266,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "StartStopHealthService_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "StartStopHealthService_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject19').analyticRuleVersion19]", @@ -3317,16 +3320,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "TargetAccount" + "columnName": "TargetAccount", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "AccountName" + "columnName": "AccountName", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "AccountNTDomain" + "columnName": "AccountNTDomain", + "identifier": "NTDomain" } ] }, @@ -3334,16 +3337,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "HostNameDomain" + "columnName": "HostNameDomain", + "identifier": "DnsDomain" } ] }, @@ -3351,8 +3354,8 @@ "entityType": "IP", "fieldMappings": [ { - "identifier": "Address", - "columnName": "IpAddress" + "columnName": "IpAddress", + "identifier": "Address" } ] } @@ -3410,7 +3413,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "TimeSeriesAnomaly-ProcessExecutions_AnalyticalRules Analytics Rule with template version 3.0.9", + "description": "TimeSeriesAnomaly-ProcessExecutions_AnalyticalRules Analytics Rule with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject20').analyticRuleVersion20]", @@ -3461,16 +3464,16 @@ "entityType": "Account", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Account" + "columnName": "Account", + "identifier": "FullName" }, { - "identifier": "Name", - "columnName": "Name" + "columnName": "Name", + "identifier": "Name" }, { - "identifier": "NTDomain", - "columnName": "NTDomain" + "columnName": "NTDomain", + "identifier": "NTDomain" } ] }, @@ -3478,16 +3481,16 @@ "entityType": "Host", "fieldMappings": [ { - "identifier": "FullName", - "columnName": "Computer" + "columnName": "Computer", + "identifier": "FullName" }, { - "identifier": "HostName", - "columnName": "HostName" + "columnName": "HostName", + "identifier": "HostName" }, { - "identifier": "DnsDomain", - "columnName": "DnsDomain" + "columnName": "DnsDomain", + "identifier": "DnsDomain" } ] } @@ -3545,7 +3548,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "EventAnalyzer Workbook with template version 3.0.9", + "description": "EventAnalyzer Workbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -3637,7 +3640,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IdentityAndAccess Workbook with template version 3.0.9", + "description": "IdentityAndAccess Workbook with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -3729,7 +3732,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CommandsexecutedbyWMIonnewhosts-potentialImpacket_HuntingQueries Hunting Query with template version 3.0.9", + "description": "CommandsexecutedbyWMIonnewhosts-potentialImpacket_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -3814,7 +3817,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Crashdumpdisabledonhost_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Crashdumpdisabledonhost_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -3899,7 +3902,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "cscript_summary_HuntingQueries Hunting Query with template version 3.0.9", + "description": "cscript_summary_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -3980,7 +3983,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CustomUserList_FailedLogons_HuntingQueries Hunting Query with template version 3.0.9", + "description": "CustomUserList_FailedLogons_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -4061,7 +4064,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DecoyUserAccountAuthenticationAttempt_HuntingQueries Hunting Query with template version 3.0.9", + "description": "DecoyUserAccountAuthenticationAttempt_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -4146,7 +4149,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Discorddownloadinvokedfromcmdline_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Discorddownloadinvokedfromcmdline_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -4231,7 +4234,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "enumeration_user_and_group_HuntingQueries Hunting Query with template version 3.0.9", + "description": "enumeration_user_and_group_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -4312,7 +4315,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangePowerShellSnapin_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ExchangePowerShellSnapin_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -4397,7 +4400,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "FailedUserLogons_HuntingQueries Hunting Query with template version 3.0.9", + "description": "FailedUserLogons_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -4482,7 +4485,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "GroupAddedToPrivlegeGroup_HuntingQueries Hunting Query with template version 3.0.9", + "description": "GroupAddedToPrivlegeGroup_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -4567,7 +4570,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HostExportingMailboxAndRemovingExport_HuntingQueries Hunting Query with template version 3.0.9", + "description": "HostExportingMailboxAndRemovingExport_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject11').huntingQueryVersion11]", @@ -4652,7 +4655,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "HostsWithNewLogons_HuntingQueries Hunting Query with template version 3.0.9", + "description": "HostsWithNewLogons_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject12').huntingQueryVersion12]", @@ -4737,7 +4740,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Invoke-PowerShellTcpOneLine_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Invoke-PowerShellTcpOneLine_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject13').huntingQueryVersion13]", @@ -4822,7 +4825,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Least_Common_Parent_Child_Process_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Least_Common_Parent_Child_Process_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject14').huntingQueryVersion14]", @@ -4903,7 +4906,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Least_Common_Process_Command_Lines_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Least_Common_Process_Command_Lines_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject15').huntingQueryVersion15]", @@ -4984,7 +4987,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Least_Common_Process_With_Depth_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Least_Common_Process_With_Depth_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject16').huntingQueryVersion16]", @@ -5065,7 +5068,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "masquerading_files_HuntingQueries Hunting Query with template version 3.0.9", + "description": "masquerading_files_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject17').huntingQueryVersion17]", @@ -5146,7 +5149,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MSRPRN_Printer_Bug_Exploitation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MSRPRN_Printer_Bug_Exploitation_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject18').huntingQueryVersion18]", @@ -5231,7 +5234,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleExplicitCredentialUsage4648Events_HuntingQueries Hunting Query with template version 3.0.9", + "description": "MultipleExplicitCredentialUsage4648Events_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject19').huntingQueryVersion19]", @@ -5316,7 +5319,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NewChildProcessOfW3WP_HuntingQueries Hunting Query with template version 3.0.9", + "description": "NewChildProcessOfW3WP_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject20').huntingQueryVersion20]", @@ -5401,7 +5404,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "new_processes_HuntingQueries Hunting Query with template version 3.0.9", + "description": "new_processes_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject21').huntingQueryVersion21]", @@ -5482,7 +5485,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "NishangReverseTCPShellBase64_HuntingQueries Hunting Query with template version 3.0.9", + "description": "NishangReverseTCPShellBase64_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject22').huntingQueryVersion22]", @@ -5567,7 +5570,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "persistence_create_account_HuntingQueries Hunting Query with template version 3.0.9", + "description": "persistence_create_account_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject23').huntingQueryVersion23]", @@ -5652,7 +5655,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PowerCatDownload_HuntingQueries Hunting Query with template version 3.0.9", + "description": "PowerCatDownload_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject24').huntingQueryVersion24]", @@ -5737,7 +5740,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "powershell_downloads_HuntingQueries Hunting Query with template version 3.0.9", + "description": "powershell_downloads_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject25').huntingQueryVersion25]", @@ -5818,7 +5821,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "powershell_newencodedscipts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "powershell_newencodedscipts_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject26').huntingQueryVersion26]", @@ -5899,7 +5902,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ProcessEntropy_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ProcessEntropy_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject27').huntingQueryVersion27]", @@ -5980,7 +5983,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcbyServiceAccount_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RareProcbyServiceAccount_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject28').huntingQueryVersion28]", @@ -6061,7 +6064,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcessPath_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RareProcessPath_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject29').huntingQueryVersion29]", @@ -6142,7 +6145,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcessWithCmdLine_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RareProcessWithCmdLine_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject30').huntingQueryVersion30]", @@ -6223,7 +6226,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareProcess_forWinHost_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RareProcess_forWinHost_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject31').huntingQueryVersion31]", @@ -6304,7 +6307,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ServiceInstallationFromUsersWritableDirectory_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ServiceInstallationFromUsersWritableDirectory_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject32').huntingQueryVersion32]", @@ -6389,7 +6392,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspectedLSASSDump_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspectedLSASSDump_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject33').huntingQueryVersion33]", @@ -6474,7 +6477,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Suspicious_enumeration_using_adfind_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Suspicious_enumeration_using_adfind_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject34').huntingQueryVersion34]", @@ -6559,7 +6562,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Suspicious_Windows_Login_outside_normal_hours_HuntingQueries Hunting Query with template version 3.0.9", + "description": "Suspicious_Windows_Login_outside_normal_hours_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject35').huntingQueryVersion35]", @@ -6644,7 +6647,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "uncommon_processes_HuntingQueries Hunting Query with template version 3.0.9", + "description": "uncommon_processes_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject36').huntingQueryVersion36]", @@ -6725,7 +6728,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "User Logons By Logon Type_HuntingQueries Hunting Query with template version 3.0.9", + "description": "User Logons By Logon Type_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject37').huntingQueryVersion37]", @@ -6810,7 +6813,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAccountAddedToPrivlegeGroup_HuntingQueries Hunting Query with template version 3.0.9", + "description": "UserAccountAddedToPrivlegeGroup_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject38').huntingQueryVersion38]", @@ -6895,7 +6898,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAccountCreatedDeleted_HuntingQueries Hunting Query with template version 3.0.9", + "description": "UserAccountCreatedDeleted_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject39').huntingQueryVersion39]", @@ -6980,7 +6983,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserAdd_RemToGroupByUnauthorizedUser_HuntingQueries Hunting Query with template version 3.0.9", + "description": "UserAdd_RemToGroupByUnauthorizedUser_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject40').huntingQueryVersion40]", @@ -7065,7 +7068,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UserCreatedByUnauthorizedUser_HuntingQueries Hunting Query with template version 3.0.9", + "description": "UserCreatedByUnauthorizedUser_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject41').huntingQueryVersion41]", @@ -7150,7 +7153,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "VIPAccountFailedLogons_HuntingQueries Hunting Query with template version 3.0.9", + "description": "VIPAccountFailedLogons_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject42').huntingQueryVersion42]", @@ -7235,7 +7238,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsSystemTimeChange_HuntingQueries Hunting Query with template version 3.0.9", + "description": "WindowsSystemTimeChange_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject43').huntingQueryVersion43]", @@ -7320,7 +7323,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CreateDCInstallationMedia_HuntingQueries Hunting Query with template version 3.0.9", + "description": "CreateDCInstallationMedia_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject44').huntingQueryVersion44]", @@ -7405,7 +7408,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "InternalProxies_HuntingQueries Hunting Query with template version 3.0.9", + "description": "InternalProxies_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject45').huntingQueryVersion45]", @@ -7490,7 +7493,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ADAccountLockouts_HuntingQueries Hunting Query with template version 3.0.9", + "description": "ADAccountLockouts_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject46').huntingQueryVersion46]", @@ -7575,7 +7578,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "KrbRelayUpServiceCreation_HuntingQueries Hunting Query with template version 3.0.9", + "description": "KrbRelayUpServiceCreation_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject47').huntingQueryVersion47]", @@ -7660,7 +7663,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RemoteScheduledTaskCreationUpdateviaSchtasks_HuntingQueries Hunting Query with template version 3.0.9", + "description": "RemoteScheduledTaskCreationUpdateviaSchtasks_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject48').huntingQueryVersion48]", @@ -7745,7 +7748,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SuspiciousCommandlineTokenLolbas_HuntingQueries Hunting Query with template version 3.0.9", + "description": "SuspiciousCommandlineTokenLolbas_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject49').huntingQueryVersion49]", @@ -7830,7 +7833,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "WindowsSystemShutdownReboot_HuntingQueries Hunting Query with template version 3.0.9", + "description": "WindowsSystemShutdownReboot_HuntingQueries Hunting Query with template version 3.0.10", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject50').huntingQueryVersion50]", @@ -7911,7 +7914,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.9", + "version": "3.0.10", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Windows Security Events", diff --git a/Solutions/Windows Security Events/ReleaseNotes.md b/Solutions/Windows Security Events/ReleaseNotes.md index c767b36bc7c..2cf97914a15 100644 --- a/Solutions/Windows Security Events/ReleaseNotes.md +++ b/Solutions/Windows Security Events/ReleaseNotes.md @@ -1,5 +1,6 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------------------------------| +| 3.0.10 | 12-01-2026 | Update **Analytic Rule** NonDCActiveDirectoryReplication - fix swapped fields | | 3.0.9 | 01-10-2024 | Removed kind from **Hunting Query** [Service installation from user writable directory] | | 3.0.8 | 23-07-2024 | Updated the Workspace type from resource type picker to resource picker in **Workbook** | | 3.0.7 | 12-06-2024 | Fixed the bugs from **Analytic Rules** NRT_execute_base64_decodedpayload.yaml and ADFSRemoteAuthSyncConnection.yaml |