diff --git a/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml index 284faf2d22a7..1c2e438985a3 100644 --- a/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml +++ b/Packs/Azure-Enrichment-Remediation/Playbooks/playbook-Azure_-_User_Investigation.yml @@ -131,7 +131,7 @@ tasks: extend-context: simple: AzureUncommonCountryLogon= query: - simple: "BehaviorAnalytics\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == \"True\"\n| where UserPrincipalName == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)" + simple: "BehaviorAnalytics\n| where ActivityInsights.FirstTimeUserConnectedFromCountry == \"True\"\n| where UserPrincipalName == @\"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)" separatecontext: false continueonerrortype: "" view: |- @@ -354,7 +354,7 @@ tasks: extend-context: simple: AzureUncommonVolume= query: - simple: "BehaviorAnalytics\n| where ActivityInsights.UncommonHighVolumeOfActions == \"True\"\n| where UserPrincipalName == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)" + simple: "BehaviorAnalytics\n| where ActivityInsights.UncommonHighVolumeOfActions == \"True\"\n| where UserPrincipalName == @\"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(ActionType)" separatecontext: false continueonerrortype: "" view: |- @@ -394,7 +394,7 @@ tasks: simple: |- BehaviorAnalytics | where ActivityInsights.ActionUncommonlyPerformedByUser == "True" - | where UserPrincipalName == "${inputs.Username}" + | where UserPrincipalName == @"${inputs.Username}" | where TimeGenerated > ${inputs.AzureSearchTime} | summarize Count = count(), Events = make_list(ActionType) separatecontext: false @@ -437,7 +437,7 @@ tasks: IdentityInfo | where RiskState contains "Risk" | where RiskLevel == "High" - | where AccountUPN == "${inputs.Username}" + | where AccountUPN == @"${inputs.Username}" | where TimeGenerated > ${inputs.AzureSearchTime} | summarize Count = count() separatecontext: false @@ -476,7 +476,7 @@ tasks: extend-context: simple: AzureAnomalies= query: - simple: "Anomalies \n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AnomalyDetails)" + simple: "Anomalies \n| where UserPrincipalName == @\"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AnomalyDetails)" separatecontext: false continueonerrortype: "" view: |- @@ -513,7 +513,7 @@ tasks: extend-context: simple: AzureNumOfFailLogin= query: - simple: "SigninLogs \n| where parse_json(Status) contains \"fail\"\n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.failedLogonThreshold}\n| summarize Count = count()" + simple: "SigninLogs \n| where parse_json(Status) contains \"fail\"\n| where UserPrincipalName == @\"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.failedLogonThreshold}\n| summarize Count = count()" separatecontext: false continueonerrortype: "" view: |- @@ -552,7 +552,7 @@ tasks: ignore-outputs: simple: "false" query: - simple: "AuditLogs \n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == \"${inputs.Username}\" \n| where AdditionalDetails[0].value contains \"python\" or AdditionalDetails[0].value contains \"curl\" or AdditionalDetails[0].value contains \"axios\" or AdditionalDetails[0].value contains \"httpie\" or AdditionalDetails[0].value contains \"wget\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AdditionalDetails)" + simple: "AuditLogs \n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == @\"${inputs.Username}\" \n| where AdditionalDetails[0].value contains \"python\" or AdditionalDetails[0].value contains \"curl\" or AdditionalDetails[0].value contains \"axios\" or AdditionalDetails[0].value contains \"httpie\" or AdditionalDetails[0].value contains \"wget\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(AdditionalDetails)" separatecontext: false continueonerrortype: "" view: |- @@ -589,7 +589,7 @@ tasks: extend-context: simple: AzureSuccessSecurityRulesChange= query: - simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus == \"Succeeded\"\n| where Caller == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" + simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus == \"Succeeded\"\n| where Caller == @\"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" separatecontext: false continueonerrortype: "" view: |- @@ -626,7 +626,7 @@ tasks: extend-context: simple: AzureUnsuccessSecurityRulesChange= query: - simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus != \"Succeeded\"\n| where Caller == \"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" + simple: "AzureActivity\n| where OperationName in (\"Delete Security Rule\",\"Create or Update Security Rule\",\"Update Alert Rules\",\"Delete Alert Rules\",\"Delete Watchlists\",\"Update Watchlists\",\"Microsoft.SecurityInsights/watchlists/watchlistItems/delete\",\"Create or Update Application Gateway WAF Policy\",\"Delete Application Gateway WAF Policy\",\"Update database threat detection policy\")\n| where ActivityStatus != \"Succeeded\"\n| where Caller == @\"${inputs.Username}\" \n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" separatecontext: false continueonerrortype: "" view: |- @@ -665,7 +665,7 @@ tasks: ignore-outputs: simple: "false" query: - simple: "AuditLogs\n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == \"${inputs.Username}\" \n| where Category in (\"ApplicationManagement\", \"UserManagement\", \"PolicyManagement\", \"GroupManagement\")| where Result == \"success\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" + simple: "AuditLogs\n| where parse_json(tostring(InitiatedBy.user)).userPrincipalName == @\"${inputs.Username}\" \n| where Category in (\"ApplicationManagement\", \"UserManagement\", \"PolicyManagement\", \"GroupManagement\")| where Result == \"success\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize Count = count(), Events = make_list(OperationName)" separatecontext: false continueonerrortype: "" view: |- @@ -741,7 +741,7 @@ tasks: extend-context: simple: AzureNumOfFailMFA= query: - simple: "SigninLogs \n| where ResultType =~ \"50074\"\n| where UserPrincipalName == \"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.MfaAttemptThreshold}" + simple: "SigninLogs \n| where ResultType =~ \"50074\"\n| where UserPrincipalName == @\"${inputs.Username}\"\n| where TimeGenerated > ${inputs.AzureSearchTime}\n| summarize ActionCount = count() by UserPrincipalName\n| where ActionCount > ${inputs.MfaAttemptThreshold}" separatecontext: false continueonerrortype: "" view: |- diff --git a/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_20.md b/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_20.md new file mode 100644 index 000000000000..b029fb30d5cf --- /dev/null +++ b/Packs/Azure-Enrichment-Remediation/ReleaseNotes/1_1_20.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### Azure - User Investigation + +Updated the Azure Log Analytics queries to support special characters. \ No newline at end of file diff --git a/Packs/Azure-Enrichment-Remediation/pack_metadata.json b/Packs/Azure-Enrichment-Remediation/pack_metadata.json index 01b496c0d40f..49a1a151c28e 100644 --- a/Packs/Azure-Enrichment-Remediation/pack_metadata.json +++ b/Packs/Azure-Enrichment-Remediation/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Azure Enrichment and Remediation", "description": "Playbooks using multiple Azure content packs for enrichment and remediation purposes", "support": "xsoar", - "currentVersion": "1.1.19", + "currentVersion": "1.1.20", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "", diff --git a/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins.yml b/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins.yml index f0bd1c48e61d..6f01612d216b 100644 --- a/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins.yml +++ b/Packs/CommonPlaybooks/Playbooks/playbook-SIEM_-_Search_for_Failed_logins.yml @@ -326,7 +326,7 @@ tasks: simple: |- SecurityEvent | where EventID == 4771 or EventID == 4625 and (LogonType == 2 or LogonType == 7 or LogonType == 10) - | where TargetAccount == '${inputs.Username}' + | where TargetAccount == @'${inputs.Username}' | where TimeGenerated > ${inputs.AzureSearchTime} separatecontext: false continueonerrortype: "" @@ -774,7 +774,7 @@ outputs: - contextPath: AzureFailedLogonLogs description: The result of the Azure Log Analytics search. type: unknown -quiet: true +quiet: false tests: - No tests fromversion: 6.5.0 diff --git a/Packs/CommonPlaybooks/ReleaseNotes/2_6_41.md b/Packs/CommonPlaybooks/ReleaseNotes/2_6_41.md new file mode 100644 index 000000000000..e13c2a352cf6 --- /dev/null +++ b/Packs/CommonPlaybooks/ReleaseNotes/2_6_41.md @@ -0,0 +1,6 @@ + +#### Playbooks + +##### SIEM - Search for Failed logins + +Updated the Azure Log Analytics query to support special characters. \ No newline at end of file diff --git a/Packs/CommonPlaybooks/pack_metadata.json b/Packs/CommonPlaybooks/pack_metadata.json index 9a2234b627fe..0934857eb48c 100644 --- a/Packs/CommonPlaybooks/pack_metadata.json +++ b/Packs/CommonPlaybooks/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Common Playbooks", "description": "Frequently used playbooks pack.", "support": "xsoar", - "currentVersion": "2.6.40", + "currentVersion": "2.6.41", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",