Yahya Abulhaj yaya2devops

## code-build-backend-success.yaml
---
-
    timestamp: 1681601913497
    message: "433875ea4139: Pull complete\n"
-
    timestamp: 1681601913497
    message: "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"
-
    timestamp: 1681601913497
    message: "Status: Downloaded newer image for python:3.10-slim-buster\n"

## code-build-backend-success.json
[
 {
   "timestamp": 1681601913497,
   "message": "433875ea4139: Pull complete\n"
 },
 {
   "timestamp": 1681601913497,
   "message": "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"
 },
 {

## [TABULAR]code-build-backend-success.json
[
  [1681601913497,"433875ea4139: Pull complete\n"  ],
  [1681601913497,"Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"  ],
  [1681601913497,"Status: Downloaded newer image for python:3.10-slim-buster\n"  ],
  [1681601913497," ---> 6f74f1480ab7\n"  ],
  [1681601913497,"Step 2/7 : WORKDIR /backend-flask\n"  ],
  [1681601915513," ---> Running in af21b329eb4d\n"  ],
  [1681601915513,"Removing intermediate container af21b329eb4d\n"  ],
  [1681601915513," ---> 39c4f7b30297\n"  ],
  [1681601915513,"Step 3/7 : COPY requirements.txt requirements.txt\n"  ],

## buildspec.yaml
version: 0.2
phases:
  install:
    runtime-versions:
      docker: 19
    commands:
      - echo "cd into $CODEBUILD_SRC_DIR/backend"
      - cd $CODEBUILD_SRC_DIR/backend-flask
      - "aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $IMAGE_URL"
  build:

## SuspiciousServicePrincipalcreationactivity.yml
id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
name: Suspicious Service Principal creation activity
description: |
  'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
severity: Low
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
      - AADServicePrincipalSignInLogs

## UnusualGuestActivity.yml
id: acc4c247-aaf7-494b-b5da-17f18863878a
name: External guest invitation followed by Azure AD PowerShell signin
description: |
  'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests
  users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.
  Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:

## insider-threat-detection-queries.yml
id: 4685d7ec-8134-43ce-b579-7c31286b0bc5
name: insider-threat-detection-queries (1)
description: |
  Intent:
  - Use MTP capability to look for insider threat potential risk indicators
  - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
  Definition of Insider Threat:
  "The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
  This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
  Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat pro

## TEAMS_ExternalUserAddedRemovedInTeams_HuntVersion.yml
id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c
name: External user added and removed in a short timeframe - Hunt Version
description: |
  'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.'
requiredDataConnectors:
  - connectorId: Office365
    dataTypes:
      - OfficeActivity (Teams)
tactics:
  - Persistence

## TEAMS_ExternalUserFromNewOrgAddedToTeams.yml
id: 6fce5baf-bfc2-4c56-a6b7-9c4733fc5a45
name: External user from a new organisation added to Teams
description: |
  'This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data.'
requiredDataConnectors:
  - connectorId: Office365
    dataTypes:
      - OfficeActivity (Teams)
tactics:
  - Persistence

## new_SHAREPOINT_downloads_by_UserAgent.yml
id: f2367171-1514-4c67-88ef-27434b6a1093
name: SharePointFileOperation via devices with previously unseen user agents
description: |
  'Tracking via user agent is one way to differentiate between types of connecting device.
  In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.'
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: Office365
	---
	-
	timestamp: 1681601913497
	message: "433875ea4139: Pull complete\n"
	-
	timestamp: 1681601913497
	message: "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"
	-
	timestamp: 1681601913497
	message: "Status: Downloaded newer image for python:3.10-slim-buster\n"
	[
	{
	"timestamp": 1681601913497,
	"message": "433875ea4139: Pull complete\n"
	},
	{
	"timestamp": 1681601913497,
	"message": "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"
	},
	{
	[
	[1681601913497,"433875ea4139: Pull complete\n" ],
	[1681601913497,"Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n" ],
	[1681601913497,"Status: Downloaded newer image for python:3.10-slim-buster\n" ],
	[1681601913497," ---> 6f74f1480ab7\n" ],
	[1681601913497,"Step 2/7 : WORKDIR /backend-flask\n" ],
	[1681601915513," ---> Running in af21b329eb4d\n" ],
	[1681601915513,"Removing intermediate container af21b329eb4d\n" ],
	[1681601915513," ---> 39c4f7b30297\n" ],
	[1681601915513,"Step 3/7 : COPY requirements.txt requirements.txt\n" ],
	version: 0.2
	phases:
	install:
	runtime-versions:
	docker: 19
	commands:
	- echo "cd into $CODEBUILD_SRC_DIR/backend"
	- cd $CODEBUILD_SRC_DIR/backend-flask
	- "aws ecr get-login-password --region $AWS_DEFAULT_REGION \| docker login --username AWS --password-stdin $IMAGE_URL"
	build:
	id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
	name: Suspicious Service Principal creation activity
	description: \|
	'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
	severity: Low
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	- AuditLogs
	- AADServicePrincipalSignInLogs
	id: acc4c247-aaf7-494b-b5da-17f18863878a
	name: External guest invitation followed by Azure AD PowerShell signin
	description: \|
	'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests
	users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.
	Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/'
	severity: Medium
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	id: 4685d7ec-8134-43ce-b579-7c31286b0bc5
	name: insider-threat-detection-queries (1)
	description: \|
	Intent:
	- Use MTP capability to look for insider threat potential risk indicators
	- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
	Definition of Insider Threat:
	"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
	This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
	Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat pro
	id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c
	name: External user added and removed in a short timeframe - Hunt Version
	description: \|
	'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.'
	requiredDataConnectors:
	- connectorId: Office365
	dataTypes:
	- OfficeActivity (Teams)
	tactics:
	- Persistence
	id: 6fce5baf-bfc2-4c56-a6b7-9c4733fc5a45
	name: External user from a new organisation added to Teams
	description: \|
	'This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data.'
	requiredDataConnectors:
	- connectorId: Office365
	dataTypes:
	- OfficeActivity (Teams)
	tactics:
	- Persistence
	id: f2367171-1514-4c67-88ef-27434b6a1093
	name: SharePointFileOperation via devices with previously unseen user agents
	description: \|
	'Tracking via user agent is one way to differentiate between types of connecting device.
	In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.'
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	- SigninLogs
	- connectorId: Office365