Merge branch 'master' into v-tsawant/ASIM-vimAuthenticationSshd

Author: v-amolpatil

Solutions/UEBA Essentials/Data/Solution_UEBA.json

@@ -28,10 +28,15 @@
 	"Hunting Queries/UEBA Multi-Source Anomalous Activity Overview.yaml",
 	"Hunting Queries/Anomalous First-Time Device Logon.yaml",
 	"Hunting Queries/Anomalous Okta First-Time or Uncommon Actions.yaml",
-	"Hunting Queries/Anomalous GCP IAM Activity.yaml"
+	"Hunting Queries/Anomalous GCP IAM Activity.yaml",
+	"Hunting Queries/Anomalous High-Score Activity Triage.yaml",
+	"Hunting Queries/Anomaly Template Distribution by Tactics and Techniques.yaml",
+	"Hunting Queries/User-Centric Anomaly Investigation.yaml",
+	"Hunting Queries/Anomaly Detection Trend Analysis.yaml",
+	"Hunting Queries/Top Anomalous Source IP Triage.yaml"
   ],
   "Metadata": "SolutionMetadata.json",
   "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\UEBA Essentials",
-  "Version": "3.0.2",
+	"Version": "3.0.3",
   "TemplateSpec": true
 }

Solutions/UEBA Essentials/Hunting Queries/Anomalous AAD Account Manipulation.yaml

@@ -0,0 +1,25 @@
+id: a7b8c9d0-e1f2-3456-7890-abcdef123456
+name: Anomalous High-Score Activity Triage
+description: |
+  'Identify the highest-scoring anomalies for rapid triage using Anomalies Table.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  Anomalies 
+  | where TimeGenerated > ago(7d) 
+  | sort by Score desc 
+  | project TimeGenerated, AnomalyTemplateName, Score, Description, UserName, SourceIpAddress, Tactics, Techniques
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIpAddress
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/Anomalous High-Score Activity Triage.yaml

@@ -0,0 +1,16 @@
+id: d0e1f2a3-b4c5-6789-0123-def456789012
+name: Anomaly Detection Trend Analysis
+description: |
+  'Visualizes anomaly detection trends over the past 90 days, showing daily counts of triggered anomaly templates. Use this time-series chart to identify patterns, spikes in anomalous behavior, and seasonal trends for baseline establishment and threat hunting prioritization.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  Anomalies 
+  | where TimeGenerated > ago(90d) 
+  | summarize Count = count() by bin(TimeGenerated, 1d), AnomalyTemplateName
+  | render timechart
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/Anomaly Detection Trend Analysis.yaml

@@ -0,0 +1,16 @@
+id: b8c9d0e1-f2a3-4567-8901-bcdef2345678
+name: Anomaly Template Distribution by Tactics and Techniques
+description: |
+  'Provides a statistical overview of anomaly detections over the past 30 days, grouped by template name, MITRE ATT&CK tactics, and techniques. Use this query to identify the most frequently triggered anomaly patterns and their associated threat techniques for trend analysis and detection tuning.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  Anomalies 
+  | where TimeGenerated > ago(30d) 
+  | summarize Count = count() by AnomalyTemplateName, Tactics, Techniques
+  | sort by Count desc
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/Anomaly Template Distribution by Tactics and Techniques.yaml

@@ -0,0 +1,36 @@
+id: e1f2a3b4-c5d6-7890-1234-abcdef567890
+name: Top Anomalous Source IP Triage
+description: |
+  'Identifies the top source IP addresses with multiple distinct anomaly templates over the past 30 days (excluding single noisy hits), then surfaces their most recent (last 24h) high-fidelity anomalous activities for focused investigation, including scores, tactics, techniques, and behavioral insights.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  let TopIPs =
+    Anomalies
+    | where TimeGenerated > ago(30d)
+    | where isnotempty(SourceIpAddress)
+    | summarize TotalAnomalies = count(), DistinctTemplates = dcount(AnomalyTemplateName) by SourceIpAddress
+    | where TotalAnomalies > 1 and DistinctTemplates > 1
+    | top 5 by TotalAnomalies desc
+    | project SourceIpAddress;
+  Anomalies
+  | where TimeGenerated > ago(24h)
+  | where SourceIpAddress in (TopIPs)
+  | project TimeGenerated, SourceIpAddress, AnomalyTemplateName, Score, Description,
+            UserPrincipalName, UserName, StartTime, EndTime,
+            Tactics, Techniques, ActivityInsights, DeviceInsights, UserInsights, AnomalyReasons
+  | order by SourceIpAddress asc, Score desc, TimeGenerated desc
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIpAddress
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserName
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/Top Anomalous Source IP Triage.yaml

@@ -0,0 +1,25 @@
+id: c9d0e1f2-a3b4-5678-9012-cdef34567890
+name: User-Centric Anomaly Investigation
+description: |
+  'Investigates all anomalous activities associated with a specific user account over the past 30 days, including anomaly scores, behavioral insights, source locations, and MITRE ATT&CK mappings. Customize by replacing "[email protected]" with the target user principal name for focused threat hunting and incident response.'
+requiredDataConnectors:
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - Anomalies
+tactics:
+relevantTechniques:
+query: |
+  Anomalies 
+  | where TimeGenerated > ago(30d) 
+  | where UserPrincipalName == "[email protected]" 
+  | project TimeGenerated, UserName, AnomalyTemplateName, Score, Description, ActivityInsights, UserInsights, SourceIpAddress, SourceLocation, Tactics, Techniques
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: UserName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIpAddress
+version: 1.0.0

Solutions/UEBA Essentials/Hunting Queries/User-Centric Anomaly Investigation.yaml

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/UEBA%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel UEBA content package will provide you with various queries based on UEBA tables, that allows you to hunt for tailored threat scenarios. You'll be able to investigate and search for anomalous activities over UEBA's enriched data, and get inspired to customize queries according to your own use-cases.\n\n**Important :** Some of the queries that are part of this solution, make use of [Built-in Watchlist Templates](https://docs.microsoft.com/azure/sentinel/watchlist-schemas) and will not work unless the corresponding watchlist is created. Other queries may requires changes to match your environment details.\n\n**Hunting Queries:** 25\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/UEBA%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Microsoft Sentinel UEBA content package will provide you with various queries based on UEBA tables, that allows you to hunt for tailored threat scenarios. You'll be able to investigate and search for anomalous activities over UEBA's enriched data, and get inspired to customize queries according to your own use-cases.\n\n**Important :** Some of the queries that are part of this solution, make use of [Built-in Watchlist Templates](https://docs.microsoft.com/azure/sentinel/watchlist-schemas) and will not work unless the corresponding watchlist is created. Other queries may requires changes to match your environment details.\n\n**Hunting Queries:** 30\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -422,6 +422,76 @@
                 }
               }
             ]
+          },
+          {
+            "name": "huntingquery26",
+            "type": "Microsoft.Common.Section",
+            "label": "Anomalous High-Score Activity Triage",
+            "elements": [
+              {
+                "name": "huntingquery26-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identify the highest-scoring anomalies for rapid triage using Anomalies Table. This hunting query depends on BehaviorAnalytics data connector (Anomalies Parser or Table)"
+                }
+              }
+            ]
+          },
+          {
+            "name": "huntingquery27",
+            "type": "Microsoft.Common.Section",
+            "label": "Anomaly Template Distribution by Tactics and Techniques",
+            "elements": [
+              {
+                "name": "huntingquery27-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Provides a statistical overview of anomaly detections over the past 30 days, grouped by template name, MITRE ATT&CK tactics, and techniques. Use this query to identify the most frequently triggered anomaly patterns and their associated threat techniques for trend analysis and detection tuning. This hunting query depends on BehaviorAnalytics data connector (Anomalies Parser or Table)"
+                }
+              }
+            ]
+          },
+          {
+            "name": "huntingquery28",
+            "type": "Microsoft.Common.Section",
+            "label": "User-Centric Anomaly Investigation",
+            "elements": [
+              {
+                "name": "huntingquery28-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Investigates all anomalous activities associated with a specific user account over the past 30 days, including anomaly scores, behavioral insights, source locations, and MITRE ATT&CK mappings. Customize by replacing \"[email protected]\" with the target user principal name for focused threat hunting and incident response. This hunting query depends on BehaviorAnalytics data connector (Anomalies Parser or Table)"
+                }
+              }
+            ]
+          },
+          {
+            "name": "huntingquery29",
+            "type": "Microsoft.Common.Section",
+            "label": "Anomaly Detection Trend Analysis",
+            "elements": [
+              {
+                "name": "huntingquery29-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Visualizes anomaly detection trends over the past 90 days, showing daily counts of triggered anomaly templates. Use this time-series chart to identify patterns, spikes in anomalous behavior, and seasonal trends for baseline establishment and threat hunting prioritization. This hunting query depends on BehaviorAnalytics data connector (Anomalies Parser or Table)"
+                }
+              }
+            ]
+          },
+          {
+            "name": "huntingquery30",
+            "type": "Microsoft.Common.Section",
+            "label": "Top Anomalous Source IP Triage",
+            "elements": [
+              {
+                "name": "huntingquery30-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Identifies the top source IP addresses with multiple distinct anomaly templates over the past 30 days (excluding single noisy hits), then surfaces their most recent (last 24h) high-fidelity anomalous activities for focused investigation, including scores, tactics, techniques, and behavioral insights. This hunting query depends on BehaviorAnalytics data connector (Anomalies Parser or Table)"
+                }
+              }
+            ]
           }
         ]
       }