Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki

Author: v-sudkharat

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -1,9 +1,34 @@
 [
+  {
+    "id": "e8394afb-82a7-4718-8d31-cc57ad352fa8",
+    "templateName": "SAPLogServ-AuditTrailPolicyChanges.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "a9e4b02a-5a8c-4c59-9836-a204d1028632",
+    "templateName": "SAPLogServ-UserAdminActions.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "8fb9fb88-693f-4906-8be2-4bb9771418fc",
+    "templateName": "SAPLogServ-DeactivationofAuditTrail.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "4981469b-8618-43a7-b44c-5744594fa494",
+    "templateName": "SAPLogServ-AssignAdminAuthorizations.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
   {
     "id": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f",
     "templateName": "SAPETD-LoginFromUnexpectedNetwork.yaml",
     "validationFailReason": "The name 'Network' does not refer to any known column, table, variable or function. The name 'geo_info_from_ip_address' does not refer to any known function."
   },
+  {
+    "id": "c6111e06-11e2-45eb-86ef-28313a06db35",
+    "templateName": "SAPETD-ExecutionofSensitiveFunctionModule.yaml",
+    "validationFailReason": "The name 'FunctionModule' does not refer to any known column, table, variable or function."
+  },
   {
     "id": "ef895ada-e8e8-4cf0-9313-b1ab67fab69f",
     "templateName": "AuthenticationAttemptfromNewCountry.yaml",

DataConnectors/AWS-S3/ConfigCloudTrailDataConnector.ps1

@@ -12,7 +12,7 @@ function Get-CloudTrailKmsPolicy {
 				'Principal' = @{
 					'Service' = 'cloudtrail.amazonaws.com';
 				};
-				'Action'    = 'kms=GenerateDataKey*';
+				'Action'    = 'kms:GenerateDataKey*';
 				'Resource'  = '*';
 			},
 			@{
@@ -22,7 +22,7 @@ function Get-CloudTrailKmsPolicy {
 					'AWS' = @("${roleArn}");
 				};
 				'Action'    = @(
-					'kms=Decrypt'
+					'kms:Decrypt'
 				);
 				'Resource'  = '*';
 			}

Detections/ASimWebSession/UnusualUAPowershell.yaml

@@ -60,13 +60,13 @@ entityMappings:
 
 alertDetailsOverride:
   alertDisplayNameFormat: 'Host {{SrcIpAddr}} is potentially running PowerShell'
-  alertDescriptionFormat: 'The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PoerShell and indicates suspicious activity on the host.'
+  alertDescriptionFormat: 'The host at address {{SrcIpAddr}} sent an HTTP request to the URL {{Url}} with the HTTP user agent header {{HttpUserAgent}}. This user agent is known to be used by PowerShell and indicates suspicious activity on the host.'
 customDetails:
   UserAgent: HttpUserAgent
 
 eventGroupingSettings:
   aggregationKind: AlertPerResult
-version: 1.1.4
+version: 1.1.5
 kind: Scheduled
 metadata:
     source:

Hunting Queries/Microsoft 365 Defender/Email Queries/General/Top 10 External Senders (Spam).yaml

@@ -1,4 +1,4 @@
-id: 86c7d21b-2081-419d-bc2e-7bc909d61eef
+id: debd82cc-2507-4c93-bd0a-a58926fc6d3a
 name: Top 10 External Senders (Spam)
 description: |
   Identifies the top 10 external sender addresses delivering inbound emails classified as spam.

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Blocked Clicks Trend.yml

@@ -0,0 +1,22 @@
+id: ac738108-451b-4341-ba38-021a00665415
+name: Blocked Clicks Trend
+description: |
+  Visualises the trend of malicious URL clicks that were blocked by Safe Links over the past 30 days, helping analysts monitor the effectiveness of click protection policies.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let TimeStart = startofday(ago(30d));
+  let TimeEnd = startofday(now());
+  UrlClickEvents
+  | where TimeGenerated >= TimeStart
+  | where ActionType == "ClickBlocked"
+  | make-series BlockedClicks = count() default = 0 on TimeGenerated from TimeStart to TimeEnd step 1d
+  | render timechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Malicious Clicks allowed (click-through).yaml

@@ -0,0 +1,23 @@
+id: ba4f7e56-a2f8-4a30-b848-200fdc7fc3a2
+name: Malicious Clicks allowed (click-through)
+description: |
+  Visualises malicious URL clicks that were allowed through Safe Links over time, helping analysts identify when users bypass security controls and click on malicious content.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let TimeStart = startofday(ago(30d));
+  let TimeEnd = startofday(now());
+  UrlClickEvents
+  | where TimeGenerated >= TimeStart
+  | where IsClickedThrough == 1
+  | where isnotempty(ThreatTypes)
+  | make-series Count = count() default = 0 on TimeGenerated from TimeStart to TimeEnd step 1d
+  | render timechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Malicious Emails with QR code Urls.yaml

@@ -0,0 +1,25 @@
+id: 13260191-fb10-4a36-9ca1-2bbc0aaf77d0
+name: Malicious Emails with QR code Urls
+description: |
+  Visualises emails containing QR code URLs that have been detected as malicious, helping analysts identify QR code-based attack campaigns.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - EmailUrlInfo
+      - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailUrlInfo
+  | where UrlLocation == "QRCode"
+  | join kind=inner (
+      EmailEvents
+      | where isnotempty(ThreatTypes)
+      | project NetworkMessageId, ThreatTypes
+  ) on NetworkMessageId
+  | summarize count() by ThreatTypes
+  | render piechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Malicious URL Clicks by workload.yml

@@ -0,0 +1,19 @@
+id: c2b4ef3a-216d-4506-8b35-6a1b0f2a3bf7
+name: Malicious URL Clicks by workload
+description: |
+  Visualises click attempts on malicious URLs, grouped by workload (such as Exchange, Teams, SharePoint, Copilot etc.), to help analysts understand which workloads are most targeted.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  UrlClickEvents
+  | where isnotempty(ThreatTypes)
+  | summarize count() by Workload
+  | render piechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Top 10 Users clicking on Malicious URLs (Malware).yaml

@@ -0,0 +1,20 @@
+id: 5a84e13a-bb17-4124-9564-d74cdb84c124
+name: Top 10 Users clicking on Malicious URLs (Malware)
+description: |
+  Visualises the top 10 users with click attempts on URLs in emails detected as malware, helping analysts identify risky user behaviour and potential targets.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  UrlClickEvents
+  | where ThreatTypes == "Malware"
+  | summarize count() by AccountUpn
+  | top 10 by count_
+  | render piechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Top 10 Users clicking on Malicious URLs (Phish).yaml

@@ -0,0 +1,20 @@
+id: a937905e-ee5c-406c-ab86-8e2581240112
+name: Top 10 Users clicking on Malicious URLs (Phish)
+description: |
+  Visualises the top 10 users with click attempts on URLs in emails detected as phishing, helping analysts identify risky user behaviour and potential targets.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  UrlClickEvents
+  | where ThreatTypes == "Phish"
+  | summarize count() by AccountUpn
+  | top 10 by count_
+  | render piechart
+version: 1.0.0