SIEM_search_PB_query_fix (demisto#36422)

* Queries fixes * RN
SEKOIA-IO · Sep 23, 2024 · 0919508 · 0919508
1 parent d6e337f
commit 0919508
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 15 deletions.
diff --git a/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml
@@ -131,7 +131,7 @@ tasks:
       extend-context:
         simple: AzureUncommonCountryLogon=
       query:
-        simple: "BehaviorAnalytics\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == \"True\"\n| where UserPrincipalName == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)"
+        simple: "BehaviorAnalytics\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == \"True\"\n| where UserPrincipalName == @\"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -354,7 +354,7 @@ tasks:
       extend-context:
         simple: AzureUncommonVolume=
       query:
-        simple: "BehaviorAnalytics\n| where ActivityInsights.UncommonHighVolumeOfActions == \"True\"\n| where UserPrincipalName == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)"
+        simple: "BehaviorAnalytics\n| where ActivityInsights.UncommonHighVolumeOfActions == \"True\"\n| where UserPrincipalName == @\"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -394,7 +394,7 @@ tasks:
         simple: |-
           BehaviorAnalytics
           | where ActivityInsights.ActionUncommonlyPerformedByUser == "True"
-          | where UserPrincipalName == "${inputs.Username}"
+          | where UserPrincipalName == @"${inputs.Username}"
           | where TimeGenerated > ${inputs.AzureSearchTime}
           | summarize Count = count(), Events = make_list(ActionType)
     separatecontext: false
@@ -437,7 +437,7 @@ tasks:
           IdentityInfo
           | where RiskState contains "Risk"
           | where RiskLevel == "High"
-          | where AccountUPN == "${inputs.Username}"
+          | where AccountUPN == @"${inputs.Username}"
           | where TimeGenerated >  ${inputs.AzureSearchTime}
           | summarize Count = count()
     separatecontext: false
@@ -476,7 +476,7 @@ tasks:
       extend-context:
         simple: AzureAnomalies=
       query:
-        simple: "Anomalies \n| where UserPrincipalName ==  \"${inputs.Username}\"\n| where TimeGenerated >  ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AnomalyDetails)"
+        simple: "Anomalies \n| where UserPrincipalName ==  @\"${inputs.Username}\"\n| where TimeGenerated >  ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AnomalyDetails)"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -513,7 +513,7 @@ tasks:
       extend-context:
         simple: AzureNumOfFailLogin=
       query:
-        simple: "SigninLogs \n| where parse_json(Status) contains \"fail\"\n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.failedLogonThreshold}\n| summarize Count = count()"
+        simple: "SigninLogs \n| where parse_json(Status) contains \"fail\"\n| where UserPrincipalName == @\"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.failedLogonThreshold}\n| summarize Count = count()"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -552,7 +552,7 @@ tasks:
       ignore-outputs:
         simple: "false"
       query:
-        simple: "AuditLogs \n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == \"${inputs.Username}\" \n| where AdditionalDetails[0].value contains \"python\" or AdditionalDetails[0].value contains \"curl\" or AdditionalDetails[0].value contains \"axios\" or AdditionalDetails[0].value contains \"httpie\" or AdditionalDetails[0].value contains \"wget\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AdditionalDetails)"
+        simple: "AuditLogs \n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == @\"${inputs.Username}\" \n| where AdditionalDetails[0].value contains \"python\" or AdditionalDetails[0].value contains \"curl\" or AdditionalDetails[0].value contains \"axios\" or AdditionalDetails[0].value contains \"httpie\" or AdditionalDetails[0].value contains \"wget\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AdditionalDetails)"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -589,7 +589,7 @@ tasks:
       extend-context:
         simple: AzureSuccessSecurityRulesChange=
       query:
-        simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus == \"Succeeded\"\n| where Caller ==  \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
+        simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus == \"Succeeded\"\n| where Caller ==  @\"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -626,7 +626,7 @@ tasks:
       extend-context:
         simple: AzureUnsuccessSecurityRulesChange=
       query:
-        simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus != \"Succeeded\"\n| where Caller ==  \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
+        simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus != \"Succeeded\"\n| where Caller ==  @\"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -665,7 +665,7 @@ tasks:
       ignore-outputs:
         simple: "false"
       query:
-        simple: "AuditLogs\n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName ==  \"${inputs.Username}\" \n| where Category in (\"ApplicationManagement\", \"UserManagement\", \"PolicyManagement\", \"GroupManagement\")| where Result == \"success\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
+        simple: "AuditLogs\n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName ==  @\"${inputs.Username}\" \n| where Category in (\"ApplicationManagement\", \"UserManagement\", \"PolicyManagement\", \"GroupManagement\")| where Result == \"success\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)"
     separatecontext: false
     continueonerrortype: ""
     view: |-
@@ -741,7 +741,7 @@ tasks:
       extend-context:
         simple: AzureNumOfFailMFA=
       query:
-        simple: "SigninLogs \n| where ResultType =~ \"50074\"\n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.MfaAttemptThreshold}"
+        simple: "SigninLogs \n| where ResultType =~ \"50074\"\n| where UserPrincipalName == @\"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.MfaAttemptThreshold}"
     separatecontext: false
     continueonerrortype: ""
     view: |-

diff --git a/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_20.md b/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_20.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### Azure - User Investigation
+
+Updated the Azure Log Analytics queries to support special characters.
diff --git a/Packs/Azure-Enrichment-Remediation/pack_metadata.json b/Packs/Azure-Enrichment-Remediation/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Azure Enrichment and Remediation",
     "description": "Playbooks using multiple Azure content packs for enrichment and remediation purposes",
     "support": "xsoar",
-    "currentVersion": "1.1.19",
+    "currentVersion": "1.1.20",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins.yml b/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins.yml
@@ -326,7 +326,7 @@ tasks:
         simple: |-
           SecurityEvent
           | where EventID == 4771 or EventID == 4625 and (LogonType ==  2 or LogonType == 7 or LogonType == 10)
-          | where TargetAccount == '${inputs.Username}'
+          | where TargetAccount == @'${inputs.Username}'
           | where TimeGenerated > ${inputs.AzureSearchTime}
     separatecontext: false
     continueonerrortype: ""
@@ -774,7 +774,7 @@ outputs:
 - contextPath: AzureFailedLogonLogs
   description: The result of the Azure Log Analytics search.
   type: unknown
-quiet: true
+quiet: false
 tests:
   - No tests
 fromversion: 6.5.0

diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_6_41.md b/Packs/CommonPlaybooks/ReleaseNotes/2_6_41.md
@@ -0,0 +1,6 @@
+
+#### Playbooks
+
+##### SIEM - Search for Failed logins
+
+Updated the Azure Log Analytics query to support special characters.
diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json
@@ -2,7 +2,7 @@
     "name": "Common Playbooks",
     "description": "Frequently used playbooks pack.",
     "support": "xsoar",
-    "currentVersion": "2.6.40",
+    "currentVersion": "2.6.41",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",