Skip to content
Permalink
Browse files

fix preview prefix (#312)

  • Loading branch information...
sagamzu committed Sep 10, 2019
1 parent 0a1b7f3 commit 6fff1aaf6d9dbc1d72c4f9a501b35d8fc6b78312
Showing with 29 additions and 29 deletions.
  1. +1 −1 Detections/Syslog/ssh_NewlyInternetExposed.yaml
  2. +2 −2 Detections/Syslog/ssh_potentialBruteForce.yaml
  3. +1 −1 Detections/ThreatIntelligenceIndicator/DomainEntity_DnsEvents.yaml
  4. +2 −2 Detections/ThreatIntelligenceIndicator/DomainEntity_PaloAlto.yaml
  5. +1 −1 Detections/ThreatIntelligenceIndicator/DomainEntity_SecurityAlert.yaml
  6. +1 −1 Detections/ThreatIntelligenceIndicator/DomainEntity_Syslog.yaml
  7. +1 −1 Detections/ThreatIntelligenceIndicator/EmailEntity_AzureActivity.yaml
  8. +1 −1 Detections/ThreatIntelligenceIndicator/EmailEntity_OfficeActivity.yaml
  9. +1 −1 Detections/ThreatIntelligenceIndicator/EmailEntity_PaloAlto.yaml
  10. +1 −1 Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityAlert.yaml
  11. +1 −1 Detections/ThreatIntelligenceIndicator/EmailEntity_SecurityEvent.yaml
  12. +1 −1 Detections/ThreatIntelligenceIndicator/EmailEntity_SigninLogs.yaml
  13. +1 −1 Detections/ThreatIntelligenceIndicator/FileHashEntity_CommonSecurityLog.yaml
  14. +1 −1 Detections/ThreatIntelligenceIndicator/FileHashEntity_SecurityEvent.yaml
  15. +1 −1 Detections/ThreatIntelligenceIndicator/IPEntity_AWSCloudTrail.yaml
  16. +1 −1 Detections/ThreatIntelligenceIndicator/IPEntity_AzureActivity.yaml
  17. +1 −1 Detections/ThreatIntelligenceIndicator/IPEntity_DnsEvents.yaml
  18. +1 −1 Detections/ThreatIntelligenceIndicator/IPEntity_OfficeActivity.yaml
  19. +1 −1 Detections/ThreatIntelligenceIndicator/IPEntity_VMConnection.yaml
  20. +1 −1 Detections/ThreatIntelligenceIndicator/IPEntity_W3CIISLog.yaml
  21. +1 −1 Detections/ThreatIntelligenceIndicator/IPEntity_WireData.yaml
  22. +1 −1 Detections/ThreatIntelligenceIndicator/IPentity_SigninLogs.yaml
  23. +1 −1 Detections/ThreatIntelligenceIndicator/URLEntity_AuditLogs.yaml
  24. +1 −1 Detections/ThreatIntelligenceIndicator/URLEntity_OfficeActivity.yaml
  25. +1 −1 Detections/ThreatIntelligenceIndicator/URLEntity_PaloAlto.yaml
  26. +1 −1 Detections/ThreatIntelligenceIndicator/URLEntity_SecurityAlerts.yaml
  27. +1 −1 Detections/ThreatIntelligenceIndicator/URLEntity_Syslog.yaml
@@ -1,5 +1,5 @@
id: 4915c713-ab38-432e-800b-8e2d46933de6
name: Ssh newly internet-exposed endpoints
name: SSH newly internet-exposed endpoints
description: Endpoints with a history of sign-ins only from private IP addresses are accessed from a public IP address.
severity: Medium
requiredDataConnectors:
@@ -1,7 +1,7 @@
id: e1ce0eab-10d1-4aae-863f-9a383345ba88
name: Ssh Potential Brute Force
name: SSH Potential Brute Force
description: |
'Identifies an IP address that had 15 failed attempts to sign in via ssh in a 4 hour block during a 24 hour time period.'
'Identifies an IP address that had 15 failed attempts to sign in via SSH in a 4 hour block during a 24 hour time period.'
severity: Medium
requiredDataConnectors:
- connectorId: Syslog
@@ -1,5 +1,5 @@
id: 85aca4d1-5d15-4001-abd9-acb86ca1786a
name: Preview - TI map Domain entity to DnsEvent
name: (Preview) TI map Domain entity to DnsEvent
description: |
'Identifies a match in DnsEvent table from any Domain IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: ec21493c-2684-4acd-9bc2-696dbad72426
name: Preview - TI map Domain entity to PaloAlto
name: (Preview) TI map Domain entity to PaloAlto
description: |
'Identifies a match in Palo Alto data in CommonSecurityLog table from any Domain IOC from TI'
severity: Medium
@@ -37,7 +37,7 @@ query: |
| where TimeGenerated > ago(dt_lookBack)
| where DeviceVendor == 'Palo Alto Networks'
| where DeviceEventClassID == 'url'
| where DeviceVendor == 'PaloAltoNetworks)
| where DeviceVendor == 'PaloAltoNetworks'
//Extract domain from field
| extend domain = extract("(([a-z0-9]+(-[a-z0-9]+)*\\.)+[a-z]{2,})", 1, tolower(AdditionalExtensions))
| where isnotempty(domain)
@@ -1,5 +1,5 @@
id: 87890d78-3e05-43ec-9ab9-ba32f4e01250
name: Preview - TI map Domain entity to SecurityAlert
name: (Preview) TI map Domain entity to SecurityAlert
description: |
'Identifies a match in SecurityAlert table from any Domain IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 532f62c1-fba6-4baa-bbb6-4a32a4ef32fa
name: Preview - TI map Domain entity to Syslog
name: (Preview) TI map Domain entity to Syslog
description: |
'Identifies a match in Syslog table from any Domain IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: cca3b4d9-ac39-4109-8b93-65bb284003e6
name: Preview - TI map Email entity to AzureActivity
name: (Preview) TI map Email entity to AzureActivity
description: |
'Identifies a match in AzureActivity table from any Email IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 4a3f5ed7-8da5-4ce2-af6f-c9ada45060f2
name: Preview - TI map Email entity to OfficeActivity
name: (Preview) TI map Email entity to OfficeActivity
description: |
'Identifies a match in OfficeActivity table from any Email IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: ffcd575b-3d54-482a-a6d8-d0de13b6ac63
name: Preview - TI map Email entity to CommonSecurityLog
name: (Preview) TI map Email entity to CommonSecurityLog
description: |
'Identifies a match in CommonSecurityLog table from any Email IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: a2e36ce0-da4d-4b6e-88c6-4e40161c5bfc
name: Preview - TI map Email entity to SecurityAlert
name: (Preview) TI map Email entity to SecurityAlert
description: |
'Identifies a match in SecurityAlert table from any Email IOC from TI which will extend coverage to datatypes such as MCAS, StorageThreatProtection and many others'
severity: Medium
@@ -1,5 +1,5 @@
id: 2fc5d810-c9cc-491a-b564-841427ae0e50
name: Preview - TI map Email entity to SecurityEvent
name: (Preview) TI map Email entity to SecurityEvent
description: |
'Identifies a match in SecurityEvent table from any Email IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 30fa312c-31eb-43d8-b0cc-bcbdfb360822
name: Preview - TI map Email entity to SigninLogs
name: (Preview) TI map Email entity to SigninLogs
description: |
'Identifies a match in SigninLogs table from any Email IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 5d33fc63-b83b-4913-b95e-94d13f0d379f
name: Preview - TI map File Hash to CommonSecurityLog Event
name: (Preview) TI map File Hash to CommonSecurityLog Event
description: |
'Identifies a match in CommonSecurityLog Event data from any FileHash IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: a7427ed7-04b4-4e3b-b323-08b981b9b4bf
name: Preview - TI map File Hash to Security Event
name: (Preview) TI map File Hash to Security Event
description: |
'Identifies a match in Security Event data from any File Hash IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: f110287e-1358-490d-8147-ed804b328514
name: Preview - TI map IP entity to AWSCloudTrail
name: (Preview) TI map IP entity to AWSCloudTrail
description: |
'Identifies a match in AWSCloudTrail from any IP IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 2441bce9-02e4-407b-8cc7-7d597f38b8b0
name: Preview - TI map IP entity to AzureActivity
name: (Preview) TI map IP entity to AzureActivity
description: |
'Identifies a match in AzureActivity from any IP IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 69b7723c-2889-469f-8b55-a2d355ed9c87
name: Preview - TI map IP entity to DnsEvents
name: (Preview) TI map IP entity to DnsEvents
description: |
'Identifies a match in DnsEvents from any IP IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: f15370f4-c6fa-42c5-9be4-1d308f40284e
name: Preview - TI map IP entity to OfficeActivity
name: (Preview) TI map IP entity to OfficeActivity
description: |
'Identifies a match in OfficeActivity from any IP IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 9713e3c0-1410-468d-b79e-383448434b2d
name: Preview - TI map IP entity to VMConnection
name: (Preview) TI map IP entity to VMConnection
description: |
'Identifies a match in VMConnection from any IP IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 5e45930c-09b1-4430-b2d1-cc75ada0dc0f
name: Preview - TI map IP entity to W3CIISLog
name: (Preview) TI map IP entity to W3CIISLog
description: |
'Identifies a match in W3CIISLog from any IP IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: a50766a7-0674-4ccb-8845-15dc55a80ba1
name: Preview - TI map IP entity to WireData
name: (Preview) TI map IP entity to WireData
description: |
'Identifies a match in WireData from any IP IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: f2eb15bd-8a88-4b24-9281-e133edfba315
name: Preview - TI map IP entity to SigninLogs
name: (Preview) TI map IP entity to SigninLogs
description: |
'Identifies a match in SigninLogs from any IP IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 712fab52-2a7d-401e-a08c-ff939cc7c25e
name: Preview - TI map URL entity to AuditLogs
name: (Preview) TI map URL entity to AuditLogs
description: |
'Identifies a match in AuditLogs from any URL IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 36a9c9e5-3dc1-4ed9-afaa-1d13617bfc2b
name: Preview - TI map URL entity to OfficeActivity data
name: (Preview) TI map URL entity to OfficeActivity data
description: |
'Identifies a match in OfficeActivity data from any URL IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: 106813db-679e-4382-a51b-1bfc463befc3
name: Preview - TI map URL entity to PaloAlto data
name: (Preview) TI map URL entity to PaloAlto data
description: |
'Identifies a match in PaloAlto data from any URL IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: f30a47c1-65fb-42b1-a7f4-00941c12550b
name: Preview - TI map URL entity to SecurityAlert data
name: (Preview) TI map URL entity to SecurityAlert data
description: |
'Identifies a match in SecurityAlert data from any URL IOC from TI'
severity: Medium
@@ -1,5 +1,5 @@
id: b31037ea-6f68-4fbd-bab2-d0d0f44c2fcf
name: Preview - TI map URL entity to Syslog data
name: (Preview) TI map URL entity to Syslog data
description: |
'Identifies a match in Syslog data from any URL IOC from TI'
severity: Medium

0 comments on commit 6fff1aa

Please sign in to comment.
You can’t perform that action at this time.