Skip to content

Instantly share code, notes, and snippets.

View yaya2devops's full-sized avatar
🏃
Catching the coming wave 🪄

Yahya Abulhaj yaya2devops

🏃
Catching the coming wave 🪄
View GitHub Profile
{
"DevOps&Cloud Facts": [
{
"quote":"DevOpsFacts!"},
{
"quote":"A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers.","author":"Microsoft"},
{
"quote":"DevOps enables formerly siloed roles—development, IT operations, quality engineering, and security—to coordinate and collaborate to produce better, more reliable products. By adopting a DevOps culture along with DevOps practices and tools, teams gain the ability to better respond to customer needs, increase confidence in the applications they build, and achieve business goals faster.","author":"Microsoft"},
{
id: 05eca115-c4b5-48e4-ba6e-07db57695be2
name: Mass Export of Dynamics 365 Records to Excel
description: |
'The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.'
severity: Medium
status: Available
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
id: e147e4dc-849c-49e9-9e8b-db4581951ff4
name: New Dynamics 365 Admin Activity
description: |
'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.'
severity: Low
status: Available
requiredDataConnectors:
- connectorId: Dynamics365
dataTypes:
- Dynamics365Activity
id: e3d24cfd-b2a1-4ba7-8f80-0360892f9d57
name: SharePointFileOperation via previously unseen IPs
description: |
'Shows volume of documents uploaded to or downloaded from Sharepoint by IPs with ASNs associated with high user lockout or malicious activity.
In stable environments such connections by new IPs may be unauthorized, especially if associated with
spikes in volume which could be associated with large-scale document exfiltration.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
id: f2367171-1514-4c67-88ef-27434b6a1093
name: SharePointFileOperation via devices with previously unseen user agents
description: |
'Tracking via user agent is one way to differentiate between types of connecting device.
In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: Office365
id: 6fce5baf-bfc2-4c56-a6b7-9c4733fc5a45
name: External user from a new organisation added to Teams
description: |
'This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data.'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (Teams)
tactics:
- Persistence
id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c
name: External user added and removed in a short timeframe - Hunt Version
description: |
'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.'
requiredDataConnectors:
- connectorId: Office365
dataTypes:
- OfficeActivity (Teams)
tactics:
- Persistence
id: 4685d7ec-8134-43ce-b579-7c31286b0bc5
name: insider-threat-detection-queries (1)
description: |
Intent:
- Use MTP capability to look for insider threat potential risk indicators
- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
Definition of Insider Threat:
"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat pro
id: acc4c247-aaf7-494b-b5da-17f18863878a
name: External guest invitation followed by Azure AD PowerShell signin
description: |
'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests
users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.
Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
name: Suspicious Service Principal creation activity
description: |
'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
severity: Low
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- AADServicePrincipalSignInLogs