reprise99

## .csv
Name,Id
AcrPush,8311e382-0749-4cb8-b61a-304f252e45ec
API Management Service Contributor,312a565d-c81f-4fd8-895a-4e21e48d571c
AcrPull,7f951dda-4ed3-4680-a7ca-43fe172d538d
AcrImageSigner,6cef56e8-d556-48e5-a04f-b8e64114680f
AcrDelete,c2f4ef07-c644-48eb-af81-4b1b4947fb11
AcrQuarantineReader,cdda3590-29a3-44f6-95f2-9f980659eb04
AcrQuarantineWriter,c8d4ff99-41c3-41a8-9f60-21dfdad59608
API Management Service Operator Role,e022efe7-f5ba-4159-bbe4-b44f577e9b61
API Management Service Reader Role,71522526-b88f-4d52-b57f-d31fc3546d0d

## cisa-cve
CVE,Vendor,Product,Name
CVE-2021-27104,Accellion,FTA,Accellion FTA OS Command Injection Vulnerability
CVE-2021-27102,Accellion,FTA,Accellion FTA OS Command Injection Vulnerability
CVE-2021-27101,Accellion,FTA,Accellion FTA SQL Injection Vulnerability
CVE-2021-27103,Accellion,FTA,Accellion FTA SSRF Vulnerability
CVE-2021-21017,Adobe,Acrobat and Reader,Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability
CVE-2021-28550,Adobe,Acrobat and Reader,Adobe Acrobat and Reader Use-After-Free Vulnerability
CVE-2018-4939,Adobe,ColdFusion,Adobe ColdFusion Deserialization of Untrusted Data vulnerability
CVE-2018-15961,Adobe,ColdFusion,Adobe ColdFusion RCE
CVE-2018-4878,Adobe,Flash Player,Adobe Flash Player Use after Free vulnerability

## 365daysofkql.csv

          
            Azure AD Audit
            31

            
              Azure AD Signins
              24

            
              Office 365 Activity
              14

            
              Active Directory
              12

            
              Defender for Endpoint
              26

            
              Azure Activity
              6

            
              Microsoft Sentinel Incidents
              2

            
              Azure AD Risk Events
              1

            
              Heartbeat
              2

            
              Functions
              3

## 365daysofkql hunt 1
1. How many distinct users signed into the tenant in February?

SigninLogs
| distinct UserPrincipalName
| count

841

2. Which application had the most signins? List the application name.

## randokql.kql
//Look for low prevalance SHA256's associated with service creation that are new to your environment in the last day
//credit to mRr3b00t @UK_Daniel_Card for the idea and starting point and @lawndoc for the updates
let PrevalenceThreshold = 1000;
let knownSHA=
//Find all the existing SHA256s associated with service creation events in the last 30 days (excluding the last day)
DeviceEvents
| where Timestamp > ago(30d) and Timestamp < ago(1d)
| where ActionType == "ServiceInstalled"
| join (DeviceFileEvents) on FileName
| project-away SHA256

## azureroles.csv
RoleName,RoleDescription,RoleId
AcrDelete,"Delete repositories, tags, or manifests from a container registry.",c2f4ef07-c644-48eb-af81-4b1b4947fb11
AcrImageSigner,Push trusted images to or pull trusted images from a container registry enabled for content trust.,6cef56e8-d556-48e5-a04f-b8e64114680f
AcrPull,Pull artifacts from a container registry.,7f951dda-4ed3-4680-a7ca-43fe172d538d
AcrPush,Push artifacts to or pull artifacts from a container registry.,8311e382-0749-4cb8-b61a-304f252e45ec
AcrQuarantineReader,Pull quarantined images from a container registry.,cdda3590-29a3-44f6-95f2-9f980659eb04
AcrQuarantineWriter,Push quarantined images to or pull quarantined images from a container registry.,c8d4ff99-41c3-41a8-9f60-21dfdad59608
API Management Service Contributor,Can manage service and the APIs,312a565d-c81f-4fd8-895a-4e21e48d571c
API Management Service Operator Role,Can manage service but not the APIs,e022efe7-f5ba-4159-bbe4-b44f577e9b61
API Management Service Reader Role,Read-only access to service and API

## fwlogs.csv
"srcdev=10.10.10.10,date=Mar 13th 2023,time=08.00.00(+5 GMT),action=accept,sourceip=50.50.50.50,dstip=192.168.200.100,srcprt=443,dstprt=443,xproto=tcp,bytesin=39230,bytesout=392378"
"srcdev=10.10.10.10,date=Mar 13th 2023,time=07.44.33(+5 GMT),action=accept,sourceip=50.50.50.40,dstip=192.168.200.150,srcprt=2343,dstprt=22,xproto=tcp,bytesin=65122,bytesout=238944"
"srcdev=10.10.10.10,date=Mar 16th 2023,time=17.34.11(+5 GMT),action=accept,sourceip=50.50.60.50,dstip=192.168.200.133,srcprt=34234,dstprt=21,xproto=tcp,bytesin=94382300,bytesout=23409239239"
"srcdev=10.10.10.10,date=Mar 13th 2023,time=11.44.04(+5 GMT),action=drop,sourceip=50.60.50.50,dstip=192.168.200.111,srcprt=8500,dstprt=8500,xproto=tcp,bytesin=39230,bytesout=392378"
"device:10.10.10.30,timestamp:4/25/2023 07:44:44z,policy:default-corp-in,outcome:allow,src=50.23.23.23:48236/tcp,dst=192.168.200.158:3389/tcp,datain=390389bytes,dataout=402394bytes,tz=-4"
"device:10.10.10.30,timestamp:4/26/2023 14:22:55z,policy:default-dmz,outcome:deny,src=50.23.26.23:4

## gist:64ff76ccdbbc6cecba8180bd1fe56597
RoleName,ID,DisplayName,Description
APIConnectors.Read.All,b86848a7-d5b1-41eb-a9b4-54a4e6306e97,Read API connectors for authentication flows,"Allows the app to read the API connectors used in user authentication flows, without a signed-in user."
APIConnectors.ReadWrite.All,1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171,Read and write API connectors for authentication flows,"Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user."
AccessReview.Read.All,d07a8cc0-3d51-4b77-b3b0-32704d1f69fa,Read all access reviews,"Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user."
AccessReview.ReadWrite.All,ef5f7d5c-338f-44b0-86c3-351f46c8bb5f,Manage all access reviews,"Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user."
AccessReview.ReadWrite.Membership,18228521-a591-40f1-b215-5fad4488c117,Manage
	Name,Id
	AcrPush,8311e382-0749-4cb8-b61a-304f252e45ec
	API Management Service Contributor,312a565d-c81f-4fd8-895a-4e21e48d571c
	AcrPull,7f951dda-4ed3-4680-a7ca-43fe172d538d
	AcrImageSigner,6cef56e8-d556-48e5-a04f-b8e64114680f
	AcrDelete,c2f4ef07-c644-48eb-af81-4b1b4947fb11
	AcrQuarantineReader,cdda3590-29a3-44f6-95f2-9f980659eb04
	AcrQuarantineWriter,c8d4ff99-41c3-41a8-9f60-21dfdad59608
	API Management Service Operator Role,e022efe7-f5ba-4159-bbe4-b44f577e9b61
	API Management Service Reader Role,71522526-b88f-4d52-b57f-d31fc3546d0d
	CVE,Vendor,Product,Name
	CVE-2021-27104,Accellion,FTA,Accellion FTA OS Command Injection Vulnerability
	CVE-2021-27102,Accellion,FTA,Accellion FTA OS Command Injection Vulnerability
	CVE-2021-27101,Accellion,FTA,Accellion FTA SQL Injection Vulnerability
	CVE-2021-27103,Accellion,FTA,Accellion FTA SSRF Vulnerability
	CVE-2021-21017,Adobe,Acrobat and Reader,Adobe Acrobat and Reader Heap-based Buffer Overflow Vulnerability
	CVE-2021-28550,Adobe,Acrobat and Reader,Adobe Acrobat and Reader Use-After-Free Vulnerability
	CVE-2018-4939,Adobe,ColdFusion,Adobe ColdFusion Deserialization of Untrusted Data vulnerability
	CVE-2018-15961,Adobe,ColdFusion,Adobe ColdFusion RCE
	CVE-2018-4878,Adobe,Flash Player,Adobe Flash Player Use after Free vulnerability
	Azure AD Audit	31
	Azure AD Signins	24
	Office 365 Activity	14
	Active Directory	12
	Defender for Endpoint	26
	Azure Activity	6
	Microsoft Sentinel Incidents	2
	Azure AD Risk Events	1
	Heartbeat	2
	Functions	3
	1. How many distinct users signed into the tenant in February?

	SigninLogs
	\| distinct UserPrincipalName
	\| count

	841

	2. Which application had the most signins? List the application name.
	//Look for low prevalance SHA256's associated with service creation that are new to your environment in the last day
	//credit to mRr3b00t @UK_Daniel_Card for the idea and starting point and @lawndoc for the updates
	let PrevalenceThreshold = 1000;
	let knownSHA=
	//Find all the existing SHA256s associated with service creation events in the last 30 days (excluding the last day)
	DeviceEvents
	\| where Timestamp > ago(30d) and Timestamp < ago(1d)
	\| where ActionType == "ServiceInstalled"
	\| join (DeviceFileEvents) on FileName
	\| project-away SHA256
	RoleName,RoleDescription,RoleId
	AcrDelete,"Delete repositories, tags, or manifests from a container registry.",c2f4ef07-c644-48eb-af81-4b1b4947fb11
	AcrImageSigner,Push trusted images to or pull trusted images from a container registry enabled for content trust.,6cef56e8-d556-48e5-a04f-b8e64114680f
	AcrPull,Pull artifacts from a container registry.,7f951dda-4ed3-4680-a7ca-43fe172d538d
	AcrPush,Push artifacts to or pull artifacts from a container registry.,8311e382-0749-4cb8-b61a-304f252e45ec
	AcrQuarantineReader,Pull quarantined images from a container registry.,cdda3590-29a3-44f6-95f2-9f980659eb04
	AcrQuarantineWriter,Push quarantined images to or pull quarantined images from a container registry.,c8d4ff99-41c3-41a8-9f60-21dfdad59608
	API Management Service Contributor,Can manage service and the APIs,312a565d-c81f-4fd8-895a-4e21e48d571c
	API Management Service Operator Role,Can manage service but not the APIs,e022efe7-f5ba-4159-bbe4-b44f577e9b61
	API Management Service Reader Role,Read-only access to service and API
	"srcdev=10.10.10.10,date=Mar 13th 2023,time=08.00.00(+5 GMT),action=accept,sourceip=50.50.50.50,dstip=192.168.200.100,srcprt=443,dstprt=443,xproto=tcp,bytesin=39230,bytesout=392378"
	"srcdev=10.10.10.10,date=Mar 13th 2023,time=07.44.33(+5 GMT),action=accept,sourceip=50.50.50.40,dstip=192.168.200.150,srcprt=2343,dstprt=22,xproto=tcp,bytesin=65122,bytesout=238944"
	"srcdev=10.10.10.10,date=Mar 16th 2023,time=17.34.11(+5 GMT),action=accept,sourceip=50.50.60.50,dstip=192.168.200.133,srcprt=34234,dstprt=21,xproto=tcp,bytesin=94382300,bytesout=23409239239"
	"srcdev=10.10.10.10,date=Mar 13th 2023,time=11.44.04(+5 GMT),action=drop,sourceip=50.60.50.50,dstip=192.168.200.111,srcprt=8500,dstprt=8500,xproto=tcp,bytesin=39230,bytesout=392378"
	"device:10.10.10.30,timestamp:4/25/2023 07:44:44z,policy:default-corp-in,outcome:allow,src=50.23.23.23:48236/tcp,dst=192.168.200.158:3389/tcp,datain=390389bytes,dataout=402394bytes,tz=-4"
	"device:10.10.10.30,timestamp:4/26/2023 14:22:55z,policy:default-dmz,outcome:deny,src=50.23.26.23:4
	RoleName,ID,DisplayName,Description
	APIConnectors.Read.All,b86848a7-d5b1-41eb-a9b4-54a4e6306e97,Read API connectors for authentication flows,"Allows the app to read the API connectors used in user authentication flows, without a signed-in user."
	APIConnectors.ReadWrite.All,1dfe531a-24a6-4f1b-80f4-7a0dc5a0a171,Read and write API connectors for authentication flows,"Allows the app to read, create and manage the API connectors used in user authentication flows, without a signed-in user."
	AccessReview.Read.All,d07a8cc0-3d51-4b77-b3b0-32704d1f69fa,Read all access reviews,"Allows the app to read access reviews, reviewers, decisions and settings in the organization, without a signed-in user."
	AccessReview.ReadWrite.All,ef5f7d5c-338f-44b0-86c3-351f46c8bb5f,Manage all access reviews,"Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions and settings in the organization, without a signed-in user."
	AccessReview.ReadWrite.Membership,18228521-a591-40f1-b215-5fad4488c117,Manage