netevert · Mar 3, 2020
diff --git a/‎hunting/workbooks/attack_drilldown.json
+1,416-1,401 b/‎hunting/workbooks/attack_drilldown.json
+1,416-1,401
diff --git a/‎hunting/workbooks/computer_drilldown.json
+39-20 b/‎hunting/workbooks/computer_drilldown.json
+39-20
diff --git a/‎hunting/workbooks/file_create_drilldown.json
+550-540 b/‎hunting/workbooks/file_create_drilldown.json
+550-540
diff --git a/‎hunting/workbooks/functions/dns_whitelist.txt
+1 b/‎hunting/workbooks/functions/dns_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/file_access_whitelist.txt
+1 b/‎hunting/workbooks/functions/file_access_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/file_create_whitelist.txt
+1 b/‎hunting/workbooks/functions/file_create_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/image_load_whitelist.txt
+1 b/‎hunting/workbooks/functions/image_load_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/network_whitelist.txt
+1 b/‎hunting/workbooks/functions/network_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/pipe_whitelist.txt
+1 b/‎hunting/workbooks/functions/pipe_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/process_access_whitelist.txt
+1 b/‎hunting/workbooks/functions/process_access_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/process_create_whitelist.txt
+1 b/‎hunting/workbooks/functions/process_create_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/registry_whitelist.txt
+1 b/‎hunting/workbooks/functions/registry_whitelist.txt
+1
diff --git a/‎hunting/workbooks/functions/remote_thread_whitelist.txt
+1 b/‎hunting/workbooks/functions/remote_thread_whitelist.txt
+1
diff --git a/‎hunting/workbooks/network_connection_drilldown.json
+402-391 b/‎hunting/workbooks/network_connection_drilldown.json
+402-391
diff --git a/‎hunting/workbooks/pipe_name_drilldown.json
+422-411 b/‎hunting/workbooks/pipe_name_drilldown.json
+422-411
diff --git a/‎hunting/workbooks/process_guid_drilldown.json
+1,500-1,509 b/‎hunting/workbooks/process_guid_drilldown.json
+1,500-1,509
diff --git a/‎hunting/workbooks/trigger_overview.json
+276-295 b/‎hunting/workbooks/trigger_overview.json
+276-295
diff --git a/‎hunting/workbooks/user_drilldown.json
+21-12 b/‎hunting/workbooks/user_drilldown.json
+21-12
diff --git a/‎lab/files/dns_whitelist.csv
+2 b/‎lab/files/dns_whitelist.csv
+2
diff --git a/‎lab/files/file_access_whitelist.csv
+2 b/‎lab/files/file_access_whitelist.csv
+2
diff --git a/‎lab/files/file_create_whitelist.csv
+2 b/‎lab/files/file_create_whitelist.csv
+2
diff --git a/‎lab/files/image_load_whitelist.csv
+2 b/‎lab/files/image_load_whitelist.csv
+2
diff --git a/‎lab/files/network_whitelist.csv
+2 b/‎lab/files/network_whitelist.csv
+2
diff --git a/‎lab/files/pipe_whitelist.csv
+2 b/‎lab/files/pipe_whitelist.csv
+2
diff --git a/‎lab/files/process_access_whitelist.csv
+2 b/‎lab/files/process_access_whitelist.csv
+2
diff --git a/‎lab/files/process_create_whitelist.csv
+2 b/‎lab/files/process_create_whitelist.csv
+2
diff --git a/‎lab/files/registry_whitelist.csv
+2 b/‎lab/files/registry_whitelist.csv
+2
diff --git a/‎lab/files/remote_thread_whitelist.csv
+2 b/‎lab/files/remote_thread_whitelist.csv
+2
diff --git a/‎lab/main.tf
+113-4 b/‎lab/main.tf
+113-4
@@ -22,7 +22,7 @@
             "description": "Selects the time range for the drilldown",
             "isRequired": true,
             "value": {
-              "durationMs": 86400000
+              "durationMs": 5184000000
             },
             "typeSettings": {
               "selectableValues": [
@@ -88,6 +88,10 @@
             "typeSettings": {
               "additionalResourceOptions": []
             },
+            "timeContext": {
+              "durationMs": 0
+            },
+            "timeContextFromParameter": "time_range",
             "queryType": 0,
             "resourceType": "microsoft.operationalinsights/workspaces"
           }
@@ -102,7 +106,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where isnotempty(technique_name)\r\n| summarize count() by technique_name, bin(TimeGenerated, 1h)",
+        "query": "let process_path_create_whitelist = process_create_whitelist | project process_path;\r\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\r\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\r\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\r\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\r\nlet process_path_network_whitelist = network_whitelist | project process_path;\r\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\r\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\r\n| summarize count() by technique_name, bin(TimeGenerated, 1h)",
         "size": 0,
         "title": "Activity by technique",
         "timeContext": {
@@ -122,10 +126,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 1\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id",
+        "query": "let process_ppath_whitelist = process_create_whitelist | project process_parent_path;\r\nlet process_path_whitelist = process_create_whitelist | project process_path;\r\nlet command_line_whitelist = process_create_whitelist | project replace(\"'\", \"\", replace('\"', '', process_command_line));\r\nlet hash_whitelist = process_create_whitelist | project hash_sha256;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 1\r\n| where isnotempty(technique_name)\r\n| where process_parent_path !in~ (process_ppath_whitelist) and process_path !in~ (process_path_whitelist) and replace('\"', '', tostring(process_command_line)) !in~ (command_line_whitelist) and hash_sha256 !in~ (hash_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id",
         "size": 0,
         "showAnalytics": true,
-        "title": "Process create",
+        "title": "Process create (not whitelisted)",
+        "noDataMessage": "No process create activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -336,7 +341,7 @@
           }
         ]
       },
-      "name": "query - 2",
+      "name": "process-create-query",
       "styleSettings": {
         "progressStyle": "loader"
       }
@@ -345,10 +350,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 10\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id",
+        "query": "let process_path_whitelist = process_access_whitelist | project process_path;\r\nlet target_process_path_whitelist = process_access_whitelist | project target_process_path;\r\nlet process_granted_access_whitelist = process_access_whitelist | project process_granted_access;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 10\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist) and process_granted_access !in~ (process_granted_access_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id",
         "size": 0,
         "showAnalytics": true,
-        "title": "Process access",
+        "title": "Process access  (not whitelisted)",
+        "noDataMessage": "No process access activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -494,10 +500,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 11\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id",
+        "query": "let file_name_whitelist = file_create_whitelist | project file_name;\r\nlet file_path_whitelist = file_create_whitelist | project file_path;\r\nlet proc_path_whitelist = file_create_whitelist | project process_path;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 11\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id",
         "size": 0,
         "showAnalytics": true,
-        "title": "File created",
+        "title": "File created  (not whitelisted)",
+        "noDataMessage": "No file create activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -612,7 +619,7 @@
           ]
         }
       },
-      "name": "File-created-query",
+      "name": "file-created-query",
       "styleSettings": {
         "progressStyle": "loader"
       }
@@ -621,10 +628,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID  == 7\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid",
+        "query": "let process_path__whitelist = image_load_whitelist | project process_path;\r\nlet driver_loaded_whitelist = image_load_whitelist | project driver_loaded;\r\nlet driver_signed_whitelist = image_load_whitelist | project driver_is_signed;\r\nlet drv_signature_whitelist = image_load_whitelist | project driver_signature;\r\nlet signat_status_whitelist = image_load_whitelist | project driver_signature_status;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID  == 7\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path__whitelist) and module_loaded !in~ (driver_loaded_whitelist) and module_is_signed !in~ (driver_signed_whitelist) and module_signature !in~ (drv_signature_whitelist) and module_signature_status !in~ (signat_status_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid",
         "size": 0,
         "showAnalytics": true,
-        "title": "Image loaded",
+        "title": "Image loaded  (not whitelisted)",
+        "noDataMessage": "No image loaded activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -782,10 +790,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 3\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name",
+        "query": "let process_path_whitelist = network_whitelist | project process_path;\r\nlet src_ip_whitelist = network_whitelist | project src_ip;\r\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\r\nlet dst_port_whitelist = network_whitelist | project dst_port;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 3\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_whitelist) and src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist) and dst_port !in~ (dst_port_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name",
         "size": 0,
         "showAnalytics": true,
-        "title": "Network connections",
+        "title": "Network connections  (not whitelisted)",
+        "noDataMessage": "No network connection activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -964,10 +973,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 12\r\n| where isnotempty(technique_name)| project TimeGenerated, technique_id, technique_name, phase_name, EventType, Computer, process_path, process_id, process_guid, registry_key_path",
+        "query": "let event_type_whitelist = registry_whitelist | project event_type;\r\nlet process_path_whitelist = registry_whitelist | project process_path;\r\nlet registry_key_path_whitelist = registry_whitelist | project registry_key_path;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 12\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_whitelist) and EventType !in~ (event_type_whitelist) and registry_key_path !in~ (registry_key_path_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, EventType, Computer, process_path, process_id, process_guid, registry_key_path",
         "size": 0,
         "showAnalytics": true,
-        "title": "Registry access",
+        "title": "Registry access (not whitelisted)",
+        "noDataMessage": "No registry access activity matching ATT&CK techniques  for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -1102,10 +1112,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where EventID == 17\r\n| where Computer contains \"{host}\"\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id",
+        "query": "let process_path_whitelist = pipe_whitelist | project process_path;\r\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\r\nSysmon\r\n| where EventID == 17\r\n| where Computer contains \"{host}\"\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id",
         "size": 0,
         "showAnalytics": true,
-        "title": "Pipes",
+        "title": "Pipes (not whitelisted)",
+        "noDataMessage": "No pipe create and connect activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -1229,10 +1240,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 22\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, dns_query_name, dns_query_status, dns_query_results, process_guid",
+        "query": "let host_whitelist = dns_whitelist | project host;\r\nlet process_whitelist = dns_whitelist | project process_path;\r\nlet query_whitelist = dns_whitelist | project query_name;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 22\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_whitelist) and dns_query_name !in~ (query_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, dns_query_name, dns_query_status, dns_query_results, process_guid",
         "size": 0,
         "showAnalytics": true,
-        "title": "DNS queries",
+        "title": "DNS queries (not whitelisted)",
+        "noDataMessage": "No DNS activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -1459,6 +1471,13 @@
       "styleSettings": {
         "progressStyle": "loader"
       }
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "---\r\nComputer drilldown v.1.3.0, built by **Edoardo Gerosa**"
+      },
+      "name": "text - 12"
     }
   ],
   "fromTemplateId": "sentinel-UserWorkbook",
 
@@ -0,0 +1 @@
+externaldata (host:string, process_path:string, query_name:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (technique_id:string, host:string, process_path:string, file_path:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (host:string, file_name:string, file_path:string, process_path:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (host:string, process_path:string, driver_loaded:string, driver_is_signed:string, driver_signature:string, driver_signature_status:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (host:string, user_name:string, process_path:string, src_ip:string, dst_ip:string, dst_port:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (host:string, process_path:string, pipe_name:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (host:string, process_path:string, target_process_path:string, process_granted_access:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (host:string, user:string, process_parent_path:string, process_path:string, process_command_line:string, hash_sha256:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (host:string, event_type:string, process_path:string, registry_key_path:string, registry_key_details:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -0,0 +1 @@
+externaldata (host:string, event_type:string, process_path:string, target_process_path:string, target_process_address:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)
@@ -4,7 +4,7 @@
     {
       "type": 1,
       "content": {
-        "json": "## User drilldown workbook\n---\n"
+        "json": "## User drilldown workbook\n---\n**Note:** All data in this workbook excludes whitelisted events."
       },
       "name": "text - 2"
     },
@@ -22,7 +22,7 @@
             "description": "Selects time range of the drilldown",
             "isRequired": true,
             "value": {
-              "durationMs": 2419200000
+              "durationMs": 172800000
             },
             "typeSettings": {
               "selectableValues": [
@@ -105,7 +105,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\n| where UserName contains @\"{user_name_value}\"\n| where isnotempty(technique_name)\n| summarize count() by technique_name, bin(TimeGenerated, 1h)",
+        "query": "let process_path_create_whitelist = process_create_whitelist | project process_path;\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\nlet process_path_network_whitelist = network_whitelist | project process_path;\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\nSysmon\n| where UserName contains @\"{user_name_value}\"\n| where isnotempty(technique_name)\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\n| summarize count() by technique_name, bin(TimeGenerated, 1h)",
         "size": 1,
         "showAnalytics": true,
         "title": "User activity by technique",
@@ -127,7 +127,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where isnotempty(technique_name)\r\n| summarize c=count() by Computer, UserName\r\n| sort by c desc\r\n| project Computer, UserName, c",
+        "query": "let process_path_create_whitelist = process_create_whitelist | project process_path;\r\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\r\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\r\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\r\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\r\nlet process_path_network_whitelist = network_whitelist | project process_path;\r\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\r\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\r\nSysmon\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\r\n| summarize c=count() by Computer, UserName\r\n| sort by c desc\r\n| project Computer, UserName, c",
         "size": 0,
         "showAnalytics": true,
         "title": "User activity by host",
@@ -623,7 +623,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where RenderedDescription contains \"Process create\" and UserName == @\"{user_name_value}\"\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id",
+        "query": "let process_ppath_whitelist = process_create_whitelist | project process_parent_path;\r\nlet process_path_whitelist = process_create_whitelist | project process_path;\r\nlet command_line_whitelist = process_create_whitelist | project replace(\"'\", \"\", replace('\"', '', process_command_line));\r\nlet hash_whitelist = process_create_whitelist | project hash_sha256;\r\nSysmon\r\n| where RenderedDescription contains \"Process create\" and UserName == @\"{user_name_value}\"\r\n| where process_parent_path !in~ (process_ppath_whitelist) and process_path !in~ (process_path_whitelist) and replace('\"', '', tostring(process_command_line)) !in~ (command_line_whitelist) and hash_sha256 !in~ (hash_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id",
         "size": 0,
         "showAnalytics": true,
         "title": "Process Create",
@@ -827,7 +827,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where RenderedDescription contains \"Process access\" and UserName == @\"{user_name_value}\"\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id",
+        "query": "let process_path_whitelist = process_access_whitelist | project process_path;\r\nlet target_process_path_whitelist = process_access_whitelist | project target_process_path;\r\nlet process_granted_access_whitelist = process_access_whitelist | project process_granted_access;\r\nSysmon\r\n| where RenderedDescription contains \"Process access\" and UserName == @\"{user_name_value}\"\r\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist) and process_granted_access !in~ (process_granted_access_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id",
         "size": 0,
         "showAnalytics": true,
         "title": "Process Access",
@@ -976,7 +976,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where RenderedDescription contains \"File create\" and UserName == @\"{user_name_value}\"\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id",
+        "query": "let file_name_whitelist = file_create_whitelist | project file_name;\r\nlet file_path_whitelist = file_create_whitelist | project file_path;\r\nlet proc_path_whitelist = file_create_whitelist | project process_path;\r\nSysmon\r\n| where RenderedDescription contains \"File create\" and UserName == @\"{user_name_value}\"\r\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id",
         "size": 0,
         "showAnalytics": true,
         "title": "File Created",
@@ -1103,7 +1103,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where RenderedDescription contains \"Image loaded\" and UserName == @\"{user_name_value}\"\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid",
+        "query": "let process_path__whitelist = image_load_whitelist | project process_path;\r\nlet driver_loaded_whitelist = image_load_whitelist | project driver_loaded;\r\nlet driver_signed_whitelist = image_load_whitelist | project driver_is_signed;\r\nlet drv_signature_whitelist = image_load_whitelist | project driver_signature;\r\nlet signat_status_whitelist = image_load_whitelist | project driver_signature_status;\r\nSysmon\r\n| where RenderedDescription contains \"Image loaded\" and UserName == @\"{user_name_value}\"\r\n| where process_path !in~ (process_path__whitelist) and module_loaded !in~ (driver_loaded_whitelist) and module_is_signed !in~ (driver_signed_whitelist) and module_signature !in~ (drv_signature_whitelist) and module_signature_status !in~ (signat_status_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid",
         "size": 0,
         "showAnalytics": true,
         "title": "Image Loaded",
@@ -1274,7 +1274,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where RenderedDescription contains \"Network connect\" and UserName == @\"{user_name_value}\"\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name",
+        "query": "let process_path_whitelist = network_whitelist | project process_path;\r\nlet src_ip_whitelist = network_whitelist | project src_ip;\r\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\r\nlet dst_port_whitelist = network_whitelist | project dst_port;\r\nSysmon\r\n| where RenderedDescription contains \"Network connect\" and UserName == @\"{user_name_value}\"\r\n| where process_path !in~ (process_path_whitelist) and src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist) and dst_port !in~ (dst_port_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name",
         "size": 0,
         "showAnalytics": true,
         "title": "Network Connection",
@@ -1455,10 +1455,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where EventID == 8 and UserName == @\"{user_name_value}\"\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, target_process_path, thread_new_id, process_guid, process_parent_guid",
+        "query": "let process_path_whitelist = remote_thread_whitelist | project process_path;\r\nlet target_process_path_whitelist = remote_thread_whitelist | project target_process_path;\r\nSysmon\r\n| where EventID == 8 and UserName == @\"{user_name_value}\"\r\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, target_process_path, thread_new_id, process_guid, process_parent_guid",
         "size": 0,
         "showAnalytics": true,
         "title": "Create Remote Thread",
+        "noDataMessage": "No create remote thread events for selected time generated",
         "timeContext": {
           "durationMs": 0
         },
@@ -1476,7 +1477,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where EventID == 12 and UserName == @\"{user_name_value}\"\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, process_id, process_guid, registry_key_path",
+        "query": "let event_type_whitelist = registry_whitelist | project event_type;\r\nlet process_path_whitelist = registry_whitelist | project process_path;\r\nlet registry_key_path_whitelist = registry_whitelist | project registry_key_path;\r\nSysmon\r\n| where EventID == 12 and UserName == @\"{user_name_value}\"\r\n| where process_path !in~ (process_path_whitelist) and EventType !in~ (event_type_whitelist) and registry_key_path !in~ (registry_key_path_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, process_id, process_guid, registry_key_path",
         "size": 0,
         "showAnalytics": true,
         "title": "Registry Access",
@@ -1603,10 +1604,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where EventID == 17 and EventID==18 and UserName == @\"{user_name_value}\"\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id",
+        "query": "let process_path_whitelist = pipe_whitelist | project process_path;\r\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\r\nSysmon\r\n| where (EventID == 17 or EventID==18) and UserName == @\"{user_name_value}\"\r\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id",
         "size": 0,
         "showAnalytics": true,
         "title": "Pipes",
+        "noDataMessage": "No pipe create and connect events for selected time and user",
         "timeContext": {
           "durationMs": 0
         },
@@ -1619,6 +1621,13 @@
       "styleSettings": {
         "progressStyle": "loader"
       }
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "---\r\nUser drilldown v.1.3.0, built by **Edoardo Gerosa**"
+      },
+      "name": "text - 26"
     }
   ],
   "fromTemplateId": "sentinel-UserWorkbook",
 
@@ -0,0 +1,2 @@
+host,process_path,query_name,reason
+,,,
@@ -0,0 +1,2 @@
+technique_id,host,process_path,file_path,reason
+,,,,
@@ -0,0 +1,2 @@
+host,file_path,process_path,reason
+,,,,
@@ -0,0 +1,2 @@
+host,process_path,driver_loaded,driver_is_signed,driver_signature,driver_signature_status,reason
+,,,,,,
@@ -0,0 +1,2 @@
+host,user_name,process_path,src_ip,dst_ip,dst_port,reason
+,,,,,,
@@ -0,0 +1,2 @@
+host,process_path,pipe_name,reason
+,,,
@@ -0,0 +1,2 @@
+host,process_path,target_process_path,process_granted_access,reason
+,,,,
@@ -0,0 +1,2 @@
+host,user,process_parent_path,process_path,process_command_line,hash_sha256,reason
+,,,,,,
@@ -0,0 +1,2 @@
+host,event_type,process_path,registry_key_path,reason
+,,,,
@@ -0,0 +1,2 @@
+host,event_type,process_path,target_process_path,target_process_address,reason
+,,,,,
@@ -149,9 +149,9 @@ resource "azurerm_storage_account" "storageaccount" {
   depends_on               = [azurerm_subnet.subnet]
 }
 
-# Create blob storage container
+# Create blob storage container for post configuration files
 resource "azurerm_storage_container" "blobstorage" {
-  name                  = "${var.prefix}-cont"
+  name                  = "${var.prefix}-store1"
   storage_account_name  = azurerm_storage_account.storageaccount.name
   container_access_type = "blob"
   depends_on            = [azurerm_storage_account.storageaccount]
@@ -169,22 +169,131 @@ resource "azurerm_storage_blob" "utilsblob" {
 
 # Create storage blob for create-ad.ps1 file
 resource "azurerm_storage_blob" "adblob" {
-  depends_on             = [azurerm_storage_container.blobstorage]
+  depends_on             = [azurerm_storage_blob.utilsblob]
   name                   = "create-ad.ps1"
   storage_account_name   = azurerm_storage_account.storageaccount.name
   storage_container_name = azurerm_storage_container.blobstorage.name
   type                   = "block"
   source                 =  "./files/create-ad.ps1"
 }
 
+# Create blob storage container for whitelisting files
+resource "azurerm_storage_container" "whiteliststorage" {
+  name                  = "${var.prefix}-store2"
+  storage_account_name  = azurerm_storage_account.storageaccount.name
+  container_access_type = "private"
+  depends_on            = [azurerm_storage_blob.adblob]
+}
+
+# Create storage blob for process create whitelist file
+resource "azurerm_storage_blob" "pcwhitelist" {
+  depends_on             = [azurerm_storage_container.whiteliststorage]
+  name                   = "process_create_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/process_create_whitelist.csv"
+}
+
+# Create storage blob for dns whitelist file
+resource "azurerm_storage_blob" "dnswhitelist" {
+  depends_on             = [azurerm_storage_blob.pcwhitelist]
+  name                   = "dns_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/dns_whitelist.csv"
+}
+
+# Create storage blob for file access whitelist file
+resource "azurerm_storage_blob" "fawhitelist" {
+  depends_on             = [azurerm_storage_blob.dnswhitelist]
+  name                   = "file_access_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/file_access_whitelist.csv"
+}
+
+# Create storage blob for file create whitelist file
+resource "azurerm_storage_blob" "fcwhitelist" {
+  depends_on             = [azurerm_storage_blob.fawhitelist]
+  name                   = "file_create_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/file_create_whitelist.csv"
+}
+
+
+# Create storage blob for image load whitelist file
+resource "azurerm_storage_blob" "ilwhitelist" {
+  depends_on             = [azurerm_storage_blob.fcwhitelist]
+  name                   = "image_load_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/image_load_whitelist.csv"
+}
+
+# Create storage blob for network whitelist file
+resource "azurerm_storage_blob" "netwhitelist" {
+  depends_on             = [azurerm_storage_blob.ilwhitelist]
+  name                   = "network_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/network_whitelist.csv"
+}
+
+# Create storage blob for pipe whitelist file
+resource "azurerm_storage_blob" "pipewhitelist" {
+  depends_on             = [azurerm_storage_blob.netwhitelist]
+  name                   = "pipe_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/pipe_whitelist.csv"
+}
+
+# Create storage blob for process access whitelist file
+resource "azurerm_storage_blob" "pawhitelist" {
+  depends_on             = [azurerm_storage_blob.pipewhitelist]
+  name                   = "process_access_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/process_access_whitelist.csv"
+}
+
+# Create storage blob for registry whitelist file
+resource "azurerm_storage_blob" "regwhitelist" {
+  depends_on             = [azurerm_storage_blob.pawhitelist]
+  name                   = "registry_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/registry_whitelist.csv"
+}
+
+# Create storage blob for remote thread whitelist file
+resource "azurerm_storage_blob" "rtwhitelist" {
+  depends_on             = [azurerm_storage_blob.pawhitelist]
+  name                   = "remote_thread_whitelist.csv"
+  storage_account_name   = azurerm_storage_account.storageaccount.name
+  storage_container_name = azurerm_storage_container.whiteliststorage.name
+  type                   = "block"
+  source                 =  "./files/remote_thread_whitelist.csv"
+}
+
 # Create public ip for domain controller 1
 resource "azurerm_public_ip" "dc1_publicip" {
     name                         = "${var.workstations.dc1}-external"
     location                     = var.location
     resource_group_name          = azurerm_resource_group.rg.name
     allocation_method            = "Dynamic"
     tags                         = var.tags
-    depends_on                   = [azurerm_storage_blob.utilsblob]
+    depends_on                   = [azurerm_storage_blob.rtwhitelist]
 }
 
 # Create network interface for domain controller 1
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+externaldata (host:string, process_path:string, query_name:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+externaldata (technique_id:string, host:string, process_path:string, file_path:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+externaldata (host:string, file_name:string, file_path:string, process_path:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+externaldata (host:string, user_name:string, process_path:string, src_ip:string, dst_ip:string, dst_port:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+externaldata (host:string, user:string, process_parent_path:string, process_path:string, process_command_line:string, hash_sha256:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+externaldata (host:string, event_type:string, process_path:string, registry_key_path:string, registry_key_details:string, reason:string) [h"{your_sas_token}"] with (ignoreFirstRecord=true)`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+host,process_path,query_name,reason`
	`2`	`+,,,`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+technique_id,host,process_path,file_path,reason`
	`2`	`+,,,,`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+host,file_path,process_path,reason`
	`2`	`+,,,,`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+host,process_path,driver_loaded,driver_is_signed,driver_signature,driver_signature_status,reason`
	`2`	`+,,,,,,`