yaya2devops/insider-threat-detection-queries.yml

## insider-threat-detection-queries.yml
id: 4685d7ec-8134-43ce-b579-7c31286b0bc5
name: insider-threat-detection-queries (1)
description: |
  Intent:
  - Use MTP capability to look for insider threat potential risk indicators
  - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
  Definition of Insider Threat:
  "The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
  This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
  Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Initial access
- Persistence
- Exfiltration
query: |
  // --------------------------------------------------------------------------------------------------------------------------- //
  //
  //Zip/Encrypt Sensitive File
  //
  //This is using a very basic indicator of a "Confidential" document in that it must be stored in a folder named Confidential or Restricted
  //Using the Information Protection tags (DeviceFileEvents: SensitivityLabel) might be a more appropriate
   DeviceFileEvents
  | where
      InitiatingProcessFileName in ("7z.exe", "7zG.exe", "AxCrypt.exe", "BitLocker.exe", "Diskcryptor.exe", "GNUPrivacyGuard.exe", "GPG4Win.exe", "PeaZip.exe", "VeraCrypt.exe", "WinRAR.exe", "WinZip.exe")
      and FolderPath matches regex ".*Confidential|Restricted.*"
  | project Timestamp, InitiatingProcessAccountName, FileName, FolderPath, InitiatingProcessFileName, DeviceName
	id: 4685d7ec-8134-43ce-b579-7c31286b0bc5
	name: insider-threat-detection-queries (1)
	description: \|
	Intent:
	- Use MTP capability to look for insider threat potential risk indicators
	- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
	Definition of Insider Threat:
	"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
	This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
	Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat program to look at the context associated with the whole person to understand the implication of a set of indicators.
	requiredDataConnectors:
	- connectorId: MicrosoftThreatProtection
	dataTypes:
	- DeviceFileEvents
	tactics:
	- Initial access
	- Persistence
	- Exfiltration
	query: \|
	// --------------------------------------------------------------------------------------------------------------------------- //
	//
	//Zip/Encrypt Sensitive File
	//
	//This is using a very basic indicator of a "Confidential" document in that it must be stored in a folder named Confidential or Restricted
	//Using the Information Protection tags (DeviceFileEvents: SensitivityLabel) might be a more appropriate
	DeviceFileEvents
	\| where
	InitiatingProcessFileName in ("7z.exe", "7zG.exe", "AxCrypt.exe", "BitLocker.exe", "Diskcryptor.exe", "GNUPrivacyGuard.exe", "GPG4Win.exe", "PeaZip.exe", "VeraCrypt.exe", "WinRAR.exe", "WinZip.exe")
	and FolderPath matches regex ".Confidential\|Restricted."
	\| project Timestamp, InitiatingProcessAccountName, FileName, FolderPath, InitiatingProcessFileName, DeviceName