Merge branch 'master' of https://github.com/Azure/Azure-Sentinel into BarracudaWAFWebSession

Author: vakohl

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -1,9 +1,34 @@
 [
+  {
+    "id": "e8394afb-82a7-4718-8d31-cc57ad352fa8",
+    "templateName": "SAPLogServ-AuditTrailPolicyChanges.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "a9e4b02a-5a8c-4c59-9836-a204d1028632",
+    "templateName": "SAPLogServ-UserAdminActions.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "8fb9fb88-693f-4906-8be2-4bb9771418fc",
+    "templateName": "SAPLogServ-DeactivationofAuditTrail.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
+  {
+    "id": "4981469b-8618-43a7-b44c-5744594fa494",
+    "templateName": "SAPLogServ-AssignAdminAuthorizations.yaml",
+    "validationFailReason": "The name 'Raw' does not refer to any known column, table, variable or function."
+  },
   {
     "id": "5dd72ebe-03ac-43ac-851b-68cfe5106e4f",
     "templateName": "SAPETD-LoginFromUnexpectedNetwork.yaml",
     "validationFailReason": "The name 'Network' does not refer to any known column, table, variable or function. The name 'geo_info_from_ip_address' does not refer to any known function."
   },
+  {
+    "id": "c6111e06-11e2-45eb-86ef-28313a06db35",
+    "templateName": "SAPETD-ExecutionofSensitiveFunctionModule.yaml",
+    "validationFailReason": "The name 'FunctionModule' does not refer to any known column, table, variable or function."
+  },
   {
     "id": "ef895ada-e8e8-4cf0-9313-b1ab67fab69f",
     "templateName": "AuthenticationAttemptfromNewCountry.yaml",

Hunting Queries/Microsoft 365 Defender/Email Queries/General/Top 10 External Senders (Spam).yaml

@@ -1,4 +1,4 @@
-id: 86c7d21b-2081-419d-bc2e-7bc909d61eef
+id: debd82cc-2507-4c93-bd0a-a58926fc6d3a
 name: Top 10 External Senders (Spam)
 description: |
   Identifies the top 10 external sender addresses delivering inbound emails classified as spam.

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Blocked Clicks Trend.yml

@@ -0,0 +1,22 @@
+id: ac738108-451b-4341-ba38-021a00665415
+name: Blocked Clicks Trend
+description: |
+  Visualises the trend of malicious URL clicks that were blocked by Safe Links over the past 30 days, helping analysts monitor the effectiveness of click protection policies.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let TimeStart = startofday(ago(30d));
+  let TimeEnd = startofday(now());
+  UrlClickEvents
+  | where TimeGenerated >= TimeStart
+  | where ActionType == "ClickBlocked"
+  | make-series BlockedClicks = count() default = 0 on TimeGenerated from TimeStart to TimeEnd step 1d
+  | render timechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Malicious Clicks allowed (click-through).yaml

@@ -0,0 +1,23 @@
+id: ba4f7e56-a2f8-4a30-b848-200fdc7fc3a2
+name: Malicious Clicks allowed (click-through)
+description: |
+  Visualises malicious URL clicks that were allowed through Safe Links over time, helping analysts identify when users bypass security controls and click on malicious content.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let TimeStart = startofday(ago(30d));
+  let TimeEnd = startofday(now());
+  UrlClickEvents
+  | where TimeGenerated >= TimeStart
+  | where IsClickedThrough == 1
+  | where isnotempty(ThreatTypes)
+  | make-series Count = count() default = 0 on TimeGenerated from TimeStart to TimeEnd step 1d
+  | render timechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Malicious Emails with QR code Urls.yaml

@@ -0,0 +1,25 @@
+id: 13260191-fb10-4a36-9ca1-2bbc0aaf77d0
+name: Malicious Emails with QR code Urls
+description: |
+  Visualises emails containing QR code URLs that have been detected as malicious, helping analysts identify QR code-based attack campaigns.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - EmailUrlInfo
+      - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailUrlInfo
+  | where UrlLocation == "QRCode"
+  | join kind=inner (
+      EmailEvents
+      | where isnotempty(ThreatTypes)
+      | project NetworkMessageId, ThreatTypes
+  ) on NetworkMessageId
+  | summarize count() by ThreatTypes
+  | render piechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Malicious URL Clicks by workload.yml

@@ -0,0 +1,19 @@
+id: c2b4ef3a-216d-4506-8b35-6a1b0f2a3bf7
+name: Malicious URL Clicks by workload
+description: |
+  Visualises click attempts on malicious URLs, grouped by workload (such as Exchange, Teams, SharePoint, Copilot etc.), to help analysts understand which workloads are most targeted.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  UrlClickEvents
+  | where isnotempty(ThreatTypes)
+  | summarize count() by Workload
+  | render piechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Top 10 Users clicking on Malicious URLs (Malware).yaml

@@ -0,0 +1,20 @@
+id: 5a84e13a-bb17-4124-9564-d74cdb84c124
+name: Top 10 Users clicking on Malicious URLs (Malware)
+description: |
+  Visualises the top 10 users with click attempts on URLs in emails detected as malware, helping analysts identify risky user behaviour and potential targets.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  UrlClickEvents
+  | where ThreatTypes == "Malware"
+  | summarize count() by AccountUpn
+  | top 10 by count_
+  | render piechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Top 10 Users clicking on Malicious URLs (Phish).yaml

@@ -0,0 +1,20 @@
+id: a937905e-ee5c-406c-ab86-8e2581240112
+name: Top 10 Users clicking on Malicious URLs (Phish)
+description: |
+  Visualises the top 10 users with click attempts on URLs in emails detected as phishing, helping analysts identify risky user behaviour and potential targets.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  UrlClickEvents
+  | where ThreatTypes == "Phish"
+  | summarize count() by AccountUpn
+  | top 10 by count_
+  | render piechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/Top 10 Users clicking on Malicious URLs (Spam).yaml

@@ -0,0 +1,20 @@
+id: 3a2fdf32-ebe7-4f65-a1c3-fc7faf23ae90
+name: Top 10 Users clicking on Malicious URLs (Spam)
+description: |
+  Visualises the top 10 users with click attempts on URLs in emails detected as spam, helping analysts identify risky user behaviour and potential targets.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  UrlClickEvents
+  | where ThreatTypes == "Spam"
+  | summarize count() by AccountUpn
+  | top 10 by count_
+  | render piechart
+version: 1.0.0

Hunting Queries/Microsoft 365 Defender/Email Queries/URL/URL Click attempts by threat type.yaml

@@ -0,0 +1,22 @@
+id: 3eef362d-3aee-4950-9208-4afa6f7afbe9
+name: URL Click attempts by threat type
+description: |
+  Visualises the total amount of click attempts on URLs with detections, split by the different threat types identified.
+  Based on Defender for Office 365 workbook: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - UrlClickEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let TimeStart = startofday(ago(30d));
+  let TimeEnd = startofday(now());
+  UrlClickEvents
+  | where TimeGenerated >= TimeStart
+  | where isnotempty(ThreatTypes)
+  | summarize Count = count() by ThreatTypes, bin(TimeGenerated, 1d)
+  | render timechart
+version: 1.0.0