Merge pull request #310 from Azure/FixupSyntax-Sept9

Fixing typos and updating titles for TI to preview

Detections/AWSCloudTrail/AWS_ClearStopChangeTrailLogs.yaml

@@ -21,7 +21,7 @@ query: |
   let timeframe = 1d;
   AWSCloudTrail
   | where TimeGenerated >= ago(timeframe)
-  | where EventName == "UpdateTrail" or EventName == "DeleteTrail" or EventName == "StopLogging”
+  | where EventName == "UpdateTrail" or EventName == "DeleteTrail" or EventName == "StopLogging"
   | project TimeGenerated, EventName, EventTypeName, UserIdentityAccountId, UserIdentityPrincipalid, UserAgent, 
   UserIdentityUserName, SessionMfaAuthenticated, SourceIpAddress, AWSRegion, EventSource
   | extend timestamp = TimeGenerated, AccountCustomEntity = UserIdentityUserName, IPCustomEntity = SourceIpAddress

Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml

@@ -1,5 +1,5 @@
 id: 85aca4d1-5d15-4001-abd9-acb86ca1786a
-name: TI map Domain entity to DnsEvent.
+name: Preview - TI map Domain entity to DnsEvent
 description: |
   'Identifies a match in DnsEvent table from any Domain IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml

@@ -1,5 +1,5 @@
 id: ec21493c-2684-4acd-9bc2-696dbad72426
-name: TI map Domain entity to PaloAlto.
+name: Preview - TI map Domain entity to PaloAlto
 description: |
   'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml

@@ -1,5 +1,5 @@
 id: 87890d78-3e05-43ec-9ab9-ba32f4e01250
-name: TI map Domain entity to SecurityAlert.
+name: Preview - TI map Domain entity to SecurityAlert
 description: |
   'Identifies a match in SecurityAlert table from any Domain IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml

@@ -1,5 +1,5 @@
 id: 532f62c1-fba6-4baa-bbb6-4a32a4ef32fa
-name: TI map Domain entity to Syslog.
+name: Preview - TI map Domain entity to Syslog
 description: |
   'Identifies a match in Syslog table from any Domain IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml

@@ -1,5 +1,5 @@
 id: cca3b4d9-ac39-4109-8b93-65bb284003e6
-name: TI map Email entity to AzureActivity. 
+name: Preview - TI map Email entity to AzureActivity
 description: |
   'Identifies a match in AzureActivity table from any Email IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml

@@ -1,5 +1,5 @@
 id: 4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2
-name: TI map Email entity to OfficeActivity. 
+name: Preview - TI map Email entity to OfficeActivity
 description: |
   'Identifies a match in OfficeActivity table from any Email IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml

@@ -1,5 +1,5 @@
 id: ffcd575b-3d54-482a-a6d8-d0de13b6ac63
-name: TI map Email entity to CommonSecurityLog. 
+name: Preview - TI map Email entity to CommonSecurityLog
 description: |
   'Identifies a match in CommonSecurityLog table from any Email IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml

@@ -1,5 +1,5 @@
 id: a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc
-name: TI map Email entity to SecurityAlert. 
+name: Preview - TI map Email entity to SecurityAlert
 description: |
   'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others'
 severity: Medium

Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml

@@ -1,5 +1,5 @@
 id: 2fc5d810-c9cc-491a-b564-841427ae0e50
-name: TI map Email entity to SecurityEvent
+name: Preview - TI map Email entity to SecurityEvent
 description: |
   'Identifies a match in SecurityEvent table from any Email IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml

@@ -1,5 +1,5 @@
 id: 30fa312c-31eb-43d8-b0cc-bcbdfb360822
-name: TI map Email entity to SigninLogs
+name: Preview - TI map Email entity to SigninLogs
 description: |
   'Identifies a match in SigninLogs table from any Email IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml

@@ -1,10 +1,10 @@
 id: 5d33fc63-b83b-4913-b95e-94d13f0d379f
-name: TI map File Hash to CommonSecurityLog Event
+name: Preview - TI map File Hash to CommonSecurityLog Event
 description: |
   'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: CommonSecurityLog
+  - connectorId: PaloAltoNetworks
     dataTypes:
       - CommonSecurityLog
   - connectorId: ThreatIntelligence

Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml

@@ -1,10 +1,10 @@
 id: a7427ed7-04b4-4e3b-b323-08b981b9b4bf
-name: TI map File Hash to Security Event
+name: Preview - TI map File Hash to Security Event
 description: |
   'Identifies a match in Security Event data from any File Hash IOC from TI'
 severity: Medium
 requiredDataConnectors:
-  - connectorId: SecurityEvent
+  - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
   - connectorId: ThreatIntelligence

Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml

@@ -1,5 +1,5 @@
 id: f110287e-1358-490d-8147-ed804b328514
-name: TI map IP entity to AWSCloudTrail
+name: Preview - TI map IP entity to AWSCloudTrail
 description: |
   'Identifies a match in AWSCloudTrail from any IP IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml

@@ -1,5 +1,5 @@
 id: 2441bce9-02e4-407b-8cc7-7d597f38b8b0
-name: TI map IP entity to AzureActivity
+name: Preview - TI map IP entity to AzureActivity
 description: |
   'Identifies a match in AzureActivity from any IP IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml

@@ -1,5 +1,5 @@
 id: 69b7723c-2889-469f-8b55-a2d355ed9c87
-name: TI map IP entity to DnsEvents
+name: Preview - TI map IP entity to DnsEvents
 description: |
   'Identifies a match in DnsEvents from any IP IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml

@@ -1,5 +1,5 @@
 id: f15370f4-c6fa-42c5-9be4-1d308f40284e
-name: TI map IP entity to OfficeActivity
+name: Preview - TI map IP entity to OfficeActivity
 description: |
   'Identifies a match in OfficeActivity from any IP IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml

@@ -1,5 +1,5 @@
 id: 9713e3c0-1410-468d-b79e-383448434b2d
-name: TI map IP entity to VMConnection
+name: Preview - TI map IP entity to VMConnection
 description: |
   'Identifies a match in VMConnection from any IP IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml

@@ -1,5 +1,5 @@
 id: 5e45930c-09b1-4430-b2d1-cc75ada0dc0f
-name: TI map IP entity to W3CIISLog
+name: Preview - TI map IP entity to W3CIISLog
 description: |
   'Identifies a match in W3CIISLog from any IP IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml

@@ -1,5 +1,5 @@
 id: a50766a7-0674-4ccb-8845-15dc55a80ba1
-name: TI map IP entity to WireData
+name: Preview - TI map IP entity to WireData
 description: |
   'Identifies a match in WireData from any IP IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml

@@ -1,5 +1,5 @@
 id: f2eb15bd-8a88-4b24-9281-e133edfba315
-name: TI map IP entity to SigninLogs
+name: Preview - TI map IP entity to SigninLogs
 description: |
   'Identifies a match in SigninLogs from any IP IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml

@@ -1,5 +1,5 @@
 id: 712fab52-2a7d-401e-a08c-ff939cc7c25e
-name: TI map URL entity to AuditLogs
+name: Preview - TI map URL entity to AuditLogs
 description: |
   'Identifies a match in AuditLogs from any URL IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml

@@ -1,5 +1,5 @@
 id: 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b
-name: TI map URL entity to OfficeActivity data
+name: Preview - TI map URL entity to OfficeActivity data
 description: |
   'Identifies a match in OfficeActivity data from any URL IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml

@@ -1,5 +1,5 @@
 id: 106813db-679e-4382-a51b-1bfc463befc3
-name: TI map URL entity to PaloAlto data
+name: Preview - TI map URL entity to PaloAlto data
 description: |
   'Identifies a match in PaloAlto data from any URL IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml

@@ -1,5 +1,5 @@
 id: f30a47c1-65fb-42b1-a7f4-00941c12550b
-name: TI map URL entity to SecurityAlert data
+name: Preview - TI map URL entity to SecurityAlert data
 description: |
   'Identifies a match in SecurityAlert data from any URL IOC from TI'
 severity: Medium

Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml

@@ -1,5 +1,5 @@
 id: b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf
-name: TI map URL entity to Syslog data
+name: Preview - TI map URL entity to Syslog data
 description: |
   'Identifies a match in Syslog data from any URL IOC from TI'
 severity: Medium

Hunting Queries/ThreatIntelligenceIndicator/FileEntity_OfficeActivity.yaml

@@ -1,5 +1,5 @@
 id: 410da56d-4a63-4d22-b68c-9fb1a303be6d 
-name: TI map File entity to OfficeActivity Event
+name: Preview - TI map File entity to OfficeActivity Event
 description: |
   'Identifies a match in OfficeActivity Event data from any FileName IOC from TI.
   As File name matches can create noise, this is best as hunting query'

Hunting Queries/ThreatIntelligenceIndicator/FileEntity_SecurityEvent.yaml

@@ -1,5 +1,5 @@
 id: 233441b9-cc92-4c9b-87fa-73b855fcd4b8
-name: TI map File entity to Security Event
+name: Preview - TI map File entity to Security Event
 description: |
   'Identifies a match in Security Event data from any FileName IOC from TI.
   As File name matches can create noise, this is best as hunting query'

Hunting Queries/ThreatIntelligenceIndicator/FileEntity_Syslog.yaml

@@ -1,5 +1,5 @@
 id: 18f7de84-de55-4983-aca3-a18bc846b4e0 
-name: TI map File entity to Syslog Event
+name: Preview - TI map File entity to Syslog Event
 description: |
   'Identifies a match in Syslog Event data from any FileName IOC from TI.
   As File name matches can create noise, this is best as hunting query'

Hunting Queries/ThreatIntelligenceIndicator/FileEntity_VMConnection.yaml

@@ -1,5 +1,5 @@
 id: 172a321b-c46b-4508-87c6-e2691c778107
-name: TI map File entity to VMConnection Event
+name: Preview - TI map File entity to VMConnection Event
 description: |
   'Identifies a match in VMConnection Event data from any FileName IOC from TI.
   As File name matches can create noise, this is best as hunting query'

Hunting Queries/ThreatIntelligenceIndicator/FileEntity_WireData.yaml

@@ -1,5 +1,5 @@
 id: 689a9475-440b-4e69-8ab1-a5e241685f39 
-name: TI map File entity to WireData Event
+name: Preview - TI map File entity to WireData Event
 description: |
   'Identifies a match in WireData Event data from any FileName IOC from TI.
   As File name matches can create noise, this is best as hunting query'

Hunting Queries/ThreatIntelligenceIndicator/Sample-DNSEventsMatchToThreatIntel.yaml

@@ -1,5 +1,5 @@
 id: a411fe4c-2ee0-4ee0-b579-55d74b6e7371
-name: DNS Events that match threat intelligence
+name: Preview - DNS Events that match threat intelligence
 description: |
   'This sample hunting query demonstrates how to utilize the threat intelligence data with the DNS event logs'
 severity: Medium