-
Notifications
You must be signed in to change notification settings - Fork 304
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Typo corrections in queries (#684)
* - Typo corrections in queries - Added queries for Identity table (on prem AD) - Added a pandas accessor for the panel data viewer - Fixed a bug in iocextract causing confusion between defanged emails and domains with "at" in them. - Also made the operation on defanged IoCs more consistent so can be set at the class level or during the function call to search for or validate an IoC type. * Make defanged=True by default Changing behavior back to previous default. Adding test case for name[at]domain
- Loading branch information
Showing
8 changed files
with
276 additions
and
52 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
metadata: | ||
version: 1 | ||
description: M365D User Queries | ||
data_environments: [MDATP, MDE, M365D, LogAnalytics] | ||
data_families: [IdentityOnPrem] | ||
tags: ["user", "account"] | ||
defaults: | ||
metadata: | ||
data_source: "user_events" | ||
parameters: | ||
start: | ||
description: Query start time | ||
type: datetime | ||
end: | ||
description: Query end time | ||
type: datetime | ||
add_query_items: | ||
description: Additional query clauses | ||
type: str | ||
default: "" | ||
time_column: | ||
description: The name of the column detailing the time the event was generated. | ||
type: str | ||
default: "Timestamp" | ||
table: | ||
description: Table name | ||
type: str | ||
default: IdentityLogonEvents | ||
sources: | ||
logons_for_account: | ||
description: Return all Active Directory on-premises user logons for user name | ||
metadata: | ||
args: | ||
query: ' | ||
{table} | ||
| where {time_column} >= datetime({start}) | ||
| where {time_column} <= datetime({end}) | ||
| where AccountUpn has "{account_name}" | ||
{add_query_items}' | ||
uri: None | ||
parameters: | ||
account_name: | ||
description: Name or part name of user/UPN | ||
type: str | ||
logons_for_ip: | ||
description: Return all Active Directory on-premises user logons for ip address | ||
metadata: | ||
args: | ||
query: ' | ||
{table} | ||
| where {time_column} >= datetime({start}) | ||
| where {time_column} <= datetime({end}) | ||
| where IPAddress == "{ip_address}" | ||
{add_query_items}' | ||
uri: None | ||
parameters: | ||
ip_address: | ||
description: Source IP address of logons | ||
type: str | ||
logons_for_host: | ||
description: Return all Active Directory on-premises user logons for host/device name | ||
metadata: | ||
args: | ||
query: ' | ||
{table} | ||
| where {time_column} >= datetime({start}) | ||
| where {time_column} <= datetime({end}) | ||
| where DeviceName has "{host_name}" | ||
{add_query_items}' | ||
uri: None | ||
parameters: | ||
host_name: | ||
description: The host/device source name for logons | ||
type: str |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.