Merge branch 'junk'

Author: netevert

hunting/workbooks/attack_drilldown.json

@@ -22,7 +22,7 @@
             "description": "Selects the time range for the drilldown",
             "isRequired": true,
             "value": {
-              "durationMs": 86400000
+              "durationMs": 5184000000
             },
             "typeSettings": {
               "selectableValues": [
@@ -88,6 +88,10 @@
             "typeSettings": {
               "additionalResourceOptions": []
             },
+            "timeContext": {
+              "durationMs": 0
+            },
+            "timeContextFromParameter": "time_range",
             "queryType": 0,
             "resourceType": "microsoft.operationalinsights/workspaces"
           }
@@ -102,7 +106,7 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where isnotempty(technique_name)\r\n| summarize count() by technique_name, bin(TimeGenerated, 1h)",
+        "query": "let process_path_create_whitelist = process_create_whitelist | project process_path;\r\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\r\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\r\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\r\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\r\nlet process_path_network_whitelist = network_whitelist | project process_path;\r\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\r\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\r\n| summarize count() by technique_name, bin(TimeGenerated, 1h)",
         "size": 0,
         "title": "Activity by technique",
         "timeContext": {
@@ -122,10 +126,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 1\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id",
+        "query": "let process_ppath_whitelist = process_create_whitelist | project process_parent_path;\r\nlet process_path_whitelist = process_create_whitelist | project process_path;\r\nlet command_line_whitelist = process_create_whitelist | project replace(\"'\", \"\", replace('\"', '', process_command_line));\r\nlet hash_whitelist = process_create_whitelist | project hash_sha256;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 1\r\n| where isnotempty(technique_name)\r\n| where process_parent_path !in~ (process_ppath_whitelist) and process_path !in~ (process_path_whitelist) and replace('\"', '', tostring(process_command_line)) !in~ (command_line_whitelist) and hash_sha256 !in~ (hash_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id",
         "size": 0,
         "showAnalytics": true,
-        "title": "Process create",
+        "title": "Process create (not whitelisted)",
+        "noDataMessage": "No process create activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -336,7 +341,7 @@
           }
         ]
       },
-      "name": "query - 2",
+      "name": "process-create-query",
       "styleSettings": {
         "progressStyle": "loader"
       }
@@ -345,10 +350,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 10\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id",
+        "query": "let process_path_whitelist = process_access_whitelist | project process_path;\r\nlet target_process_path_whitelist = process_access_whitelist | project target_process_path;\r\nlet process_granted_access_whitelist = process_access_whitelist | project process_granted_access;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 10\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist) and process_granted_access !in~ (process_granted_access_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id",
         "size": 0,
         "showAnalytics": true,
-        "title": "Process access",
+        "title": "Process access  (not whitelisted)",
+        "noDataMessage": "No process access activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -494,10 +500,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 11\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id",
+        "query": "let file_name_whitelist = file_create_whitelist | project file_name;\r\nlet file_path_whitelist = file_create_whitelist | project file_path;\r\nlet proc_path_whitelist = file_create_whitelist | project process_path;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 11\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id",
         "size": 0,
         "showAnalytics": true,
-        "title": "File created",
+        "title": "File created  (not whitelisted)",
+        "noDataMessage": "No file create activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -612,7 +619,7 @@
           ]
         }
       },
-      "name": "File-created-query",
+      "name": "file-created-query",
       "styleSettings": {
         "progressStyle": "loader"
       }
@@ -621,10 +628,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID  == 7\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid",
+        "query": "let process_path__whitelist = image_load_whitelist | project process_path;\r\nlet driver_loaded_whitelist = image_load_whitelist | project driver_loaded;\r\nlet driver_signed_whitelist = image_load_whitelist | project driver_is_signed;\r\nlet drv_signature_whitelist = image_load_whitelist | project driver_signature;\r\nlet signat_status_whitelist = image_load_whitelist | project driver_signature_status;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID  == 7\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path__whitelist) and module_loaded !in~ (driver_loaded_whitelist) and module_is_signed !in~ (driver_signed_whitelist) and module_signature !in~ (drv_signature_whitelist) and module_signature_status !in~ (signat_status_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid",
         "size": 0,
         "showAnalytics": true,
-        "title": "Image loaded",
+        "title": "Image loaded  (not whitelisted)",
+        "noDataMessage": "No image loaded activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -782,10 +790,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 3\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name",
+        "query": "let process_path_whitelist = network_whitelist | project process_path;\r\nlet src_ip_whitelist = network_whitelist | project src_ip;\r\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\r\nlet dst_port_whitelist = network_whitelist | project dst_port;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 3\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_whitelist) and src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist) and dst_port !in~ (dst_port_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name",
         "size": 0,
         "showAnalytics": true,
-        "title": "Network connections",
+        "title": "Network connections  (not whitelisted)",
+        "noDataMessage": "No network connection activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -964,10 +973,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 12\r\n| where isnotempty(technique_name)| project TimeGenerated, technique_id, technique_name, phase_name, EventType, Computer, process_path, process_id, process_guid, registry_key_path",
+        "query": "let event_type_whitelist = registry_whitelist | project event_type;\r\nlet process_path_whitelist = registry_whitelist | project process_path;\r\nlet registry_key_path_whitelist = registry_whitelist | project registry_key_path;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 12\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_whitelist) and EventType !in~ (event_type_whitelist) and registry_key_path !in~ (registry_key_path_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, EventType, Computer, process_path, process_id, process_guid, registry_key_path",
         "size": 0,
         "showAnalytics": true,
-        "title": "Registry access",
+        "title": "Registry access (not whitelisted)",
+        "noDataMessage": "No registry access activity matching ATT&CK techniques  for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -1102,10 +1112,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where EventID == 17\r\n| where Computer contains \"{host}\"\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id",
+        "query": "let process_path_whitelist = pipe_whitelist | project process_path;\r\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\r\nSysmon\r\n| where EventID == 17\r\n| where Computer contains \"{host}\"\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id",
         "size": 0,
         "showAnalytics": true,
-        "title": "Pipes",
+        "title": "Pipes (not whitelisted)",
+        "noDataMessage": "No pipe create and connect activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -1229,10 +1240,11 @@
       "type": 3,
       "content": {
         "version": "KqlItem/1.0",
-        "query": "Sysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 22\r\n| where isnotempty(technique_name)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, dns_query_name, dns_query_status, dns_query_results, process_guid",
+        "query": "let host_whitelist = dns_whitelist | project host;\r\nlet process_whitelist = dns_whitelist | project process_path;\r\nlet query_whitelist = dns_whitelist | project query_name;\r\nSysmon\r\n| where Computer contains \"{host}\"\r\n| where EventID == 22\r\n| where isnotempty(technique_name)\r\n| where process_path !in~ (process_whitelist) and dns_query_name !in~ (query_whitelist)\r\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, dns_query_name, dns_query_status, dns_query_results, process_guid",
         "size": 0,
         "showAnalytics": true,
-        "title": "DNS queries",
+        "title": "DNS queries (not whitelisted)",
+        "noDataMessage": "No DNS activity matching ATT&CK techniques for host",
         "timeContext": {
           "durationMs": 0
         },
@@ -1459,6 +1471,13 @@
       "styleSettings": {
         "progressStyle": "loader"
       }
+    },
+    {
+      "type": 1,
+      "content": {
+        "json": "---\r\nComputer drilldown v.1.3.0, built by **Edoardo Gerosa**"
+      },
+      "name": "text - 12"
     }
   ],
   "fromTemplateId": "sentinel-UserWorkbook",