Yahya Abulhaj yaya2devops

## insider-threat-detection-queries.yml
id: 4685d7ec-8134-43ce-b579-7c31286b0bc5
name: insider-threat-detection-queries (1)
description: |
  Intent:
  - Use MTP capability to look for insider threat potential risk indicators
  - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
  Definition of Insider Threat:
  "The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
  This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
  Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat pro

## UnusualGuestActivity.yml
id: acc4c247-aaf7-494b-b5da-17f18863878a
name: External guest invitation followed by Azure AD PowerShell signin
description: |
  'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests
  users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.
  Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:

## SuspiciousServicePrincipalcreationactivity.yml
id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
name: Suspicious Service Principal creation activity
description: |
  'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
severity: Low
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
      - AADServicePrincipalSignInLogs

## DevopsCloudFacts.json
{
	"DevOps&Cloud Facts": [

{
       "quote":"DevOpsFacts!"},
{
       "quote":"A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers.","author":"Microsoft"},
{
       "quote":"DevOps enables formerly siloed roles—development, IT operations, quality engineering, and security—to coordinate and collaborate to produce better, more reliable products. By adopting a DevOps culture along with DevOps practices and tools, teams gain the ability to better respond to customer needs, increase confidence in the applications they build, and achieve business goals faster.","author":"Microsoft"},
{
	id: 4685d7ec-8134-43ce-b579-7c31286b0bc5
	name: insider-threat-detection-queries (1)
	description: \|
	Intent:
	- Use MTP capability to look for insider threat potential risk indicators
	- Indicators would then serve as the building block for insider threat risk modeling in subsequent tools
	Definition of Insider Threat:
	"The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization."
	This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat.
	Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat pro
	id: acc4c247-aaf7-494b-b5da-17f18863878a
	name: External guest invitation followed by Azure AD PowerShell signin
	description: \|
	'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests
	users, who have been invited or have invited recently, who also are logging via various PowerShell CLI.
	Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/'
	severity: Medium
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	id: 6852d9da-8015-4b95-8ecf-d9572ee0395d
	name: Suspicious Service Principal creation activity
	description: \|
	'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)'
	severity: Low
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	- AuditLogs
	- AADServicePrincipalSignInLogs
	{
	"DevOps&Cloud Facts": [

	{
	"quote":"DevOpsFacts!"},
	{
	"quote":"A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers.","author":"Microsoft"},
	{
	"quote":"DevOps enables formerly siloed roles—development, IT operations, quality engineering, and security—to coordinate and collaborate to produce better, more reliable products. By adopting a DevOps culture along with DevOps practices and tools, teams gain the ability to better respond to customer needs, increase confidence in the applications they build, and achieve business goals faster.","author":"Microsoft"},
	{