-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Added fix to Pivot creation * testing * Revert "Added fix to Pivot creation" This reverts commit 672eb18. * Testing * AML testing * Fixed Pivot timespan issue * [fix] Fixed nb_pivot and failing host_summary unit tests - Fixing nb_pivot and Pivot class initialization - Splitting queries into separate sub-group yamls - Adding summarize_events to linux_queries.yaml and windows_queries.yaml * Fixed typo in outputs * Moved to version 1.0.0 Co-authored-by: Pete Bryan <pebryan@microsoft.com> Co-authored-by: Ian Hellen <ianhelle@microsoft.com>
- Loading branch information
1 parent
f329351
commit 0562424
Showing
8 changed files
with
280 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,2 @@ | ||
"""Version file.""" | ||
VERSION = "0.3.0" | ||
VERSION = "1.0.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
metadata: | ||
version: 1 | ||
description: Local Data Alert Queries | ||
data_environments: [LocalData] | ||
data_families: | ||
- AzureNetwork | ||
- Network | ||
tags: ['alert', 'securityalert', 'process', 'account', 'network', 'host'] | ||
defaults: | ||
metadata: | ||
data_source: 'security_alert' | ||
parameters: | ||
sources: | ||
# AzureNetwork | ||
list_azure_network_flows_by_ip: | ||
description: List Azure Network flows by IP address | ||
metadata: | ||
data_families: [Network] | ||
args: | ||
query: az_net_comms_df.pkl | ||
parameters: | ||
list_azure_network_flows_by_host: | ||
description: List Azure Network flows by host name | ||
metadata: | ||
data_families: [Network] | ||
args: | ||
query: az_net_comms_df.pkl | ||
parameters: | ||
get_heartbeat_for_ip: | ||
description: Heartbeat record | ||
metadata: | ||
data_families: [Network] | ||
args: | ||
query: host_hb_df.pkl | ||
parameters: | ||
get_heartbeat_for_host: | ||
description: Heartbeat record | ||
metadata: | ||
data_families: [Network] | ||
args: | ||
query: host_hb_df.pkl | ||
parameters: | ||
get_host_for_ip: | ||
description: Azure network interface record | ||
metadata: | ||
data_families: [Network] | ||
args: | ||
query: az_net_if_df.pkl | ||
parameters: | ||
get_ips_for_host: | ||
description: Azure network interface record | ||
metadata: | ||
data_families: [Network] | ||
args: | ||
query: az_net_if_df.pkl | ||
parameters: | ||
# AAD | ||
list_aad_signins_for_account: | ||
description: AAD Signin Logs | ||
metadata: | ||
data_families: [Azure] | ||
args: | ||
query: aad_signin_user.pkl | ||
parameters: | ||
list_aad_signins_for_ip: | ||
description: AAD Signin Logs | ||
metadata: | ||
data_families: [Azure] | ||
args: | ||
query: aad_signin_random.pkl | ||
parameters: | ||
# Azure Activity | ||
list_azure_activity_for_account: | ||
description: Azure Activity | ||
metadata: | ||
data_families: [Azure] | ||
args: | ||
query: azure_activity_df.pkl | ||
parameters: | ||
list_azure_activity_for_ip: | ||
description: Azure Activity | ||
metadata: | ||
data_families: [Azure] | ||
args: | ||
query: azure_activity_df.pkl | ||
parameters: | ||
get_vmcomputer_for_ip: | ||
description: VMComputer table | ||
metadata: | ||
data_families: [Azure] | ||
args: | ||
query: vmcomputer_df.pkl | ||
parameters: | ||
get_vmcomputer_for_host: | ||
description: VMComputer table | ||
metadata: | ||
data_families: [Azure] | ||
args: | ||
query: vmcomputer_df.pkl | ||
parameters: | ||
# O365 | ||
list_activity_for_account: | ||
description: Office Activity | ||
metadata: | ||
data_families: [Office365] | ||
args: | ||
query: office_activity_user.pkl | ||
parameters: | ||
list_activity_for_ip: | ||
description: Office Activity | ||
metadata: | ||
data_families: [Office365] | ||
args: | ||
query: office_activity_random.pkl | ||
parameters: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
metadata: | ||
version: 1 | ||
description: Local Data Alert Queries | ||
data_environments: [LocalData] | ||
data_families: | ||
- LinuxSyslog | ||
tags: ['alert', 'securityalert', 'process', 'account', 'network', 'host'] | ||
defaults: | ||
metadata: | ||
data_source: 'security_alert' | ||
parameters: | ||
sources: | ||
list_logons_for_account: | ||
description: Linux logon Activity | ||
metadata: | ||
data_families: [LinuxSyslog] | ||
args: | ||
query: lx_host_logons.pkl | ||
parameters: | ||
list_logons_for_source_ip: | ||
description: Linux logon Activity | ||
metadata: | ||
data_families: [LinuxSyslog] | ||
args: | ||
query: lx_host_logons.pkl | ||
parameters: | ||
summarize_events: | ||
description: Linux Event summary | ||
metadata: | ||
data_families: [LinuxSyslog] | ||
args: | ||
query: lx_host_logons.pkl | ||
parameters: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
metadata: | ||
version: 1 | ||
description: Local Data Alert Queries | ||
data_environments: [LocalData] | ||
data_families: | ||
- SecurityAlert | ||
- SecurityEvent | ||
tags: ['alert', 'securityalert', 'sentinel'] | ||
defaults: | ||
metadata: | ||
data_source: 'security_alert' | ||
parameters: | ||
sources: | ||
# Alerts | ||
list_alerts: | ||
description: Retrieves list of alerts | ||
metadata: | ||
data_families: [SecurityAlert] | ||
args: | ||
query: alerts_list.pkl | ||
parameters: | ||
list_related_alerts: | ||
description: Retrieves list of related alerts | ||
metadata: | ||
data_families: [SecurityAlert] | ||
args: | ||
query: alerts_list.pkl | ||
parameters: | ||
list_alerts_for_ip: | ||
description: Retrieves list of related alerts | ||
metadata: | ||
data_families: [SecurityAlert] | ||
args: | ||
query: alerts_list.pkl | ||
# Azure Sentinel tables | ||
list_bookmarks_for_entity: | ||
description: Retrieves list of related bookmarks. | ||
metadata: | ||
data_families: [AzureSentinel] | ||
args: | ||
query: bookmarks.csv | ||
parameters: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
metadata: | ||
version: 1 | ||
description: Local Data Alert Queries | ||
data_environments: [LocalData] | ||
data_families: | ||
- SecurityEvent | ||
- WindowsSecurity | ||
tags: ['process', 'account', 'network', 'host'] | ||
defaults: | ||
metadata: | ||
data_source: 'security_alert' | ||
parameters: | ||
sources: | ||
# Windows | ||
list_host_processes: | ||
description: List processes on host | ||
metadata: | ||
data_families: [WindowsSecurity] | ||
args: | ||
query: processes_on_host.pkl | ||
parameters: | ||
list_host_logons: | ||
description: List logons on host | ||
metadata: | ||
data_families: [WindowsSecurity] | ||
args: | ||
query: host_logons.pkl | ||
parameters: | ||
list_host_logon_failures: | ||
description: List logon failures on host | ||
metadata: | ||
data_families: [WindowsSecurity] | ||
args: | ||
query: failed_logons.pkl | ||
parameters: | ||
list_logon_attempts_by_account: | ||
description: Success and failed | ||
metadata: | ||
data_families: [WindowsSecurity] | ||
args: | ||
query: win_logon_attempts.pkl | ||
parameters: | ||
list_host_events: | ||
description: List events on host | ||
metadata: | ||
data_families: [WindowsSecurity] | ||
args: | ||
query: all_events_df.pkl | ||
parameters: | ||
get_process_tree: | ||
description: Get process tree for a process | ||
metadata: | ||
data_families: [WindowsSecurity] | ||
args: | ||
query: process_tree.pkl | ||
parameters: | ||
list_all_logons_by_host: | ||
description: Return Logon Events For A Host | ||
metadata: | ||
data_families: [WindowsSecurity] | ||
args: | ||
query: win_host_logons.pkl | ||
parameters: | ||
summarize_events: | ||
description: Summarize host events | ||
metadata: | ||
data_families: [WindowsSecurity] | ||
args: | ||
query: all_events_df.pkl | ||
parameters: |