Contrast-Security-OSS
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/File Malware Detection Trend.yaml‎
Lines changed: 24 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/File Malware Detection Trend.yaml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/File Malware Top Families by AV.yaml‎
Lines changed: 23 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/File Malware Top Families by AV.yaml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/File Malware Top Families by Safe Attachments.yaml‎
Lines changed: 23 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/File Malware Top Families by Safe Attachments.yaml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by Workload Locations.yaml‎
Lines changed: 23 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by Workload Locations.yaml‎
Lines changed: 23 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by Workload Type.yaml‎
Lines changed: 24 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Malware/Malware detections by Workload Type.yaml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Phish reason trend.yaml‎
Lines changed: 105 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Phish reason trend.yaml‎
Lines changed: 105 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Phish reason.yaml‎
Lines changed: 21 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Phish reason.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Spam reason trend.yaml‎
Lines changed: 68 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Spam reason trend.yaml‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Spam reason.yaml‎
Lines changed: 21 additions & 0 deletions b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine Spam reason.yaml‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml‎
Lines changed: 1 addition & 1 deletion b/‎Hunting Queries/Microsoft 365 Defender/Email Queries/Quarantine/Quarantine release trend.yaml‎
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,24 @@
+id: 71cdf9cb-39b7-40fe-a81f-2c125efc7d07
+name: File Malware Detection Trend
+description: |
+  This query visualises total files located on SharePoint, OneDrive and Teams with Malware detections over time summarizing the data daily.
+description-detailed: |
+  This query visualises total files located on SharePoint, OneDrive and Teams with Malware detections over time summarizing the data daily.
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let TimeStart = startofday(ago(30d));
+  let TimeEnd = startofday(now());
+  CloudAppEvents
+  | where TimeGenerated >= TimeStart
+  | where ActionType == 'FileMalwareDetected'
+  | make-series Count = count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d
+  | render timechart
+version: 1.0.0
@@ -0,0 +1,23 @@
+id: db287ba5-344a-4e43-a94f-26e686203598
+name: File Malware by Top Malware Families (Anti Virus)
+description: |
+  This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on built-in SharePoint AV detections
+description-detailed: |
+  This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on built-in SharePoint AV detections
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  CloudAppEvents
+  | where ActionType == 'FileMalwareDetected' and isempty(UserAgent)
+  | project ObjectName, UserAgent, RawinfoVirusInfo = RawEventData.VirusInfo
+  | summarize count() by tostring(RawinfoVirusInfo) | sort by count_
+  | render piechart
+  // | render columnchart // Uncomment to change the graph type
+version: 1.0.0
@@ -0,0 +1,23 @@
+id: afd90d9e-f8f5-41c7-823a-616907392503
+name: File Malware by Top Malware Families (Safe Attachments)
+description: |
+  This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on Defender for Office 365 detections (detonations)
+description-detailed: |
+  This query visualises total Malware detections of files located on SharePoint, OneDrive and Teams over time summarizing the data by the various Malware families detected focusing on Defender for Office 365 detections (detonations)
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  CloudAppEvents
+  | where ActionType == 'FileMalwareDetected' and UserAgent =~ 'MS Scanner ATP'
+  | project ObjectName, UserAgent, RawinfoVirusInfo = RawEventData.VirusInfo
+  | summarize count() by tostring(RawinfoVirusInfo) | sort by count_
+  | render piechart
+  // | render columnchart // Uncomment to change the graph type
+version: 1.0.0
@@ -0,0 +1,23 @@
+id: bb6afb85-8e80-4c98-b73b-c2c821528a1c
+name: Malware detections by Workload Locations
+description: |
+  This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the locations they are stored
+description-detailed: |
+  This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the locations they are stored
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  CloudAppEvents
+  | where ActionType == 'FileMalwareDetected'
+  | project location=(split(RawEventData.SiteUrl, '/')[4])
+  | summarize count() by tostring(location)
+  | sort by count_ desc
+  | render columnchart
+version: 1.0.0
@@ -0,0 +1,24 @@
+id: 094a9823-e053-4b36-8678-cd70f048db91
+name: Malware detections by Workload Type
+description: |
+  This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the workload in which they are stored
+description-detailed: |
+  This query visualises the amount of total Malware detections of files located on SharePoint, OneDrive and Teams, summarizing by the workload in which they are stored
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - CloudAppEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  CloudAppEvents
+  | where ActionType == 'FileMalwareDetected'
+  | extend Appwithteams = iff(Application =~ 'Microsoft SharePoint Online',strcat(Application,' / Teams Files'),Application)
+  | extend Appwithteams = trim_start('Microsoft',Appwithteams) | summarize count() by Appwithteams
+  | sort by count_ desc
+  | render piechart
+  // | render columnchart // Uncomment to change the graph type
+version: 1.0.0
@@ -0,0 +1,105 @@
+id: 6f7df1b7-5613-45e5-9b82-3ec95d86e0e8
+name: Quarantine Phish Reason trend
+description: |
+  This query visualises the amount of phish emails that are quarantined, summarized daily by the detection method
+description-detailed: |
+  This query visualises the amount of phish emails that are quarantined, summarized daily by the detection method
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let TimeStart = startofday(ago(30d));
+  let TimeEnd = startofday(now());
+  let baseQuery = EmailEvents
+  | where TimeGenerated >= TimeStart
+  | where DetectionMethods has "Phish" and DeliveryLocation == "Quarantine";
+  let ml=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Advanced filter'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Advanced filter";
+  let camp=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Campaign'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Campaign";
+  let fd=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'File detonation' and Phish !has 'File detonation reputation'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "File detonation";
+  let fdr=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'File detonation reputation'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "File detonation reputation";
+  let frp=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Fingerprint matching' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Fingerprint matching";
+  let gf=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'General filter' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "General filter";
+  let bimp=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Impersonation brand' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Impersonation brand";
+  let dimp=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Impersonation domain' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Impersonation domain";
+  let uimp=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Impersonation user' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Impersonation user";
+  let mimp=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Mailbox intelligence impersonation' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Mailbox intelligence impersonation";
+  let sdmarc=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Spoof DMARC' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Spoof DMARC";
+  let spoofe=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Spoof external domain' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Spoof external domain";
+  let spoofi=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'Spoof intra-org' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Spoof intra-org";
+  let ud=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'URL detonation' and Phish !has 'URL detonation reputation'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "URL detonation";
+  let udr=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'URL detonation reputation' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "URL detonation reputation";
+  let umr=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Phish has 'URL malicious reputation' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "URL malicious reputation";
+  union ml,camp,fd,fdr,frp,gf,bimp,dimp,uimp,mimp,sdmarc,spoofe,spoofi,ud,udr,umr
+  | project Count, Details, Timestamp
+  | render timechart
+version: 1.0.0
@@ -0,0 +1,21 @@
+id: 5caf3813-c628-48e2-be65-71b95be7ff85
+name: Quarantine Phish Reason
+description: |
+  This query visualises the total amount of phish emails that are quarantined, summarized by the detection method
+description-detailed: |
+  This query visualises the total amount of phish emails that are quarantined, summarized by the detection method
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Inbound" and DetectionMethods has 'Phish' and DeliveryLocation == "Quarantine"
+  | project DT=parse_json(DetectionMethods)| evaluate bag_unpack(DT)| summarize count() by Phish=tostring(column_ifexists('Phish', ''))
+  | render piechart
+version: 1.0.0
@@ -0,0 +1,68 @@
+id: 014ffc5c-0ba5-49f9-989c-3833e0d1c2b8
+name: Quarantine Spam Reason trend
+description: |
+  This query visualises the amount of spam emails that are quarantined, summarized daily by the detection method
+description-detailed: |
+  This query visualises the amount of spam emails that are quarantined, summarized daily by the detection method
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  let TimeStart = startofday(ago(30d));
+  let TimeEnd = startofday(now());
+  let baseQuery = EmailEvents
+  | where TimeGenerated >= TimeStart
+  | where DetectionMethods has "Spam" and DeliveryLocation == "Quarantine";
+  let timerange = 
+  baseQuery
+  | summarize minTime = min(Timestamp), maxTime = max(Timestamp);
+  let ml=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Spam has 'Advanced filter'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Advanced filter";
+  let gf=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Spam has 'General filter'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "General filter";
+  let bl=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Spam has 'BulkFilter'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "BulkFilter";
+  let mx=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Spam has 'Mixed analysis detection'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Mixed analysis detection";
+  let frp=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Spam has 'Fingerprint matching'
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Fingerprint matching";
+  let umr=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Spam has 'URL malicious reputation' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "URL malicious reputation";
+  let dr=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Spam has 'Domain reputation' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "Domain reputation";
+  let ipr=baseQuery
+  | project Timestamp,RecipientEmailAddress,NetworkMessageId, DT=parse_json(DetectionMethods) | evaluate bag_unpack(DT) 
+  | where Spam has 'IP reputation' 
+  | make-series Count= count() default = 0 on Timestamp from TimeStart to TimeEnd step 1d 
+  | extend Details = "IP reputation";
+  union ml,gf,bl,mx,frp,umr,dr,ipr
+  | project Count, Details, Timestamp
+  | render timechart
+version: 1.0.0
@@ -0,0 +1,21 @@
+id: 35b21933-9d3e-4919-b545-2ada20d26e8e
+name: Quarantine Spam Reason
+description: |
+  This query visualises the total amount of spam emails that are quarantined, summarized by the detection method
+description-detailed: |
+  This query visualises the total amount of spam emails that are quarantined, summarized by the detection method
+  Query is also included as part of the Defender for Office 365 solution in Sentinel: https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/part-2-build-custom-email-security-reports-and-dashboards-with-workbooks-in-micr/4411303
+requiredDataConnectors:
+- connectorId: MicrosoftThreatProtection
+  dataTypes:
+  - EmailEvents
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1566
+query: |
+  EmailEvents
+  | where EmailDirection == "Inbound" and DetectionMethods has 'Spam' and DeliveryLocation == "Quarantine"
+  | project DT=parse_json(DetectionMethods)| evaluate bag_unpack(DT)| summarize count() by Spam=tostring(column_ifexists('Spam', ''))
+  | render piechart
+version: 1.0.0
@@ -18,5 +18,5 @@ query: |
   | where ActionType == "QuarantineReleaseMessage"
   | summarize count() by bin(Timestamp, 1d)
   | project-rename Releases = count_
-  | render timechart with (title="Qurantine Releases by Day")
+  | render timechart with (title="Quarantine Releases by Day")
 version: 1.0.0