Yahya Abulhaj yaya2devops

## code-build-backend-success.yaml
---
-
    timestamp: 1681601913497
    message: "433875ea4139: Pull complete\n"
-
    timestamp: 1681601913497
    message: "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"
-
    timestamp: 1681601913497
    message: "Status: Downloaded newer image for python:3.10-slim-buster\n"

## code-build-backend-success.json
[
 {
   "timestamp": 1681601913497,
   "message": "433875ea4139: Pull complete\n"
 },
 {
   "timestamp": 1681601913497,
   "message": "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"
 },
 {

## [TABULAR]code-build-backend-success.json
[
  [1681601913497,"433875ea4139: Pull complete\n"  ],
  [1681601913497,"Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"  ],
  [1681601913497,"Status: Downloaded newer image for python:3.10-slim-buster\n"  ],
  [1681601913497," ---> 6f74f1480ab7\n"  ],
  [1681601913497,"Step 2/7 : WORKDIR /backend-flask\n"  ],
  [1681601915513," ---> Running in af21b329eb4d\n"  ],
  [1681601915513,"Removing intermediate container af21b329eb4d\n"  ],
  [1681601915513," ---> 39c4f7b30297\n"  ],
  [1681601915513,"Step 3/7 : COPY requirements.txt requirements.txt\n"  ],

## buildspec.yaml
version: 0.2
phases:
  install:
    runtime-versions:
      docker: 19
    commands:
      - echo "cd into $CODEBUILD_SRC_DIR/backend"
      - cd $CODEBUILD_SRC_DIR/backend-flask
      - "aws ecr get-login-password --region $AWS_DEFAULT_REGION | docker login --username AWS --password-stdin $IMAGE_URL"
  build:

## MassExportOfDynamicstoExcel.yml
id: 05eca115-c4b5-48e4-ba6e-07db57695be2
name: Mass Export of Dynamics 365 Records to Excel
description: |
  'The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.'
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: Dynamics365
    dataTypes:
      - Dynamics365Activity

## NewDynamicsAdminActivity.yml
id: e147e4dc-849c-49e9-9e8b-db4581951ff4
name: New Dynamics 365 Admin Activity
description: |
  'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.'
severity: Low
status: Available
requiredDataConnectors:
  - connectorId: Dynamics365
    dataTypes:
      - Dynamics365Activity

## new_SHAREPOINT_downloads_by_IP.yml
id: e3d24cfd-b2a1-4ba7-8f80-0360892f9d57
name: SharePointFileOperation via previously unseen IPs
description: |
  'Shows volume of documents uploaded to or downloaded from Sharepoint by IPs with ASNs associated with high user lockout or malicious activity.
  In stable environments such connections by new IPs may be unauthorized, especially if associated with
  spikes in volume which could be associated with large-scale document exfiltration.'
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs

## new_SHAREPOINT_downloads_by_UserAgent.yml
id: f2367171-1514-4c67-88ef-27434b6a1093
name: SharePointFileOperation via devices with previously unseen user agents
description: |
  'Tracking via user agent is one way to differentiate between types of connecting device.
  In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.'
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: Office365

## TEAMS_ExternalUserFromNewOrgAddedToTeams.yml
id: 6fce5baf-bfc2-4c56-a6b7-9c4733fc5a45
name: External user from a new organisation added to Teams
description: |
  'This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data.'
requiredDataConnectors:
  - connectorId: Office365
    dataTypes:
      - OfficeActivity (Teams)
tactics:
  - Persistence

## TEAMS_ExternalUserAddedRemovedInTeams_HuntVersion.yml
id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c
name: External user added and removed in a short timeframe - Hunt Version
description: |
  'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.'
requiredDataConnectors:
  - connectorId: Office365
    dataTypes:
      - OfficeActivity (Teams)
tactics:
  - Persistence
	---
	-
	timestamp: 1681601913497
	message: "433875ea4139: Pull complete\n"
	-
	timestamp: 1681601913497
	message: "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"
	-
	timestamp: 1681601913497
	message: "Status: Downloaded newer image for python:3.10-slim-buster\n"
	[
	{
	"timestamp": 1681601913497,
	"message": "433875ea4139: Pull complete\n"
	},
	{
	"timestamp": 1681601913497,
	"message": "Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n"
	},
	{
	[
	[1681601913497,"433875ea4139: Pull complete\n" ],
	[1681601913497,"Digest: sha256:1b501f9aa621df27078adcd19ba769c09cb1c4f2e797bfaba0c66553db16923b\n" ],
	[1681601913497,"Status: Downloaded newer image for python:3.10-slim-buster\n" ],
	[1681601913497," ---> 6f74f1480ab7\n" ],
	[1681601913497,"Step 2/7 : WORKDIR /backend-flask\n" ],
	[1681601915513," ---> Running in af21b329eb4d\n" ],
	[1681601915513,"Removing intermediate container af21b329eb4d\n" ],
	[1681601915513," ---> 39c4f7b30297\n" ],
	[1681601915513,"Step 3/7 : COPY requirements.txt requirements.txt\n" ],
	version: 0.2
	phases:
	install:
	runtime-versions:
	docker: 19
	commands:
	- echo "cd into $CODEBUILD_SRC_DIR/backend"
	- cd $CODEBUILD_SRC_DIR/backend-flask
	- "aws ecr get-login-password --region $AWS_DEFAULT_REGION \| docker login --username AWS --password-stdin $IMAGE_URL"
	build:
	id: 05eca115-c4b5-48e4-ba6e-07db57695be2
	name: Mass Export of Dynamics 365 Records to Excel
	description: \|
	'The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.'
	severity: Medium
	status: Available
	requiredDataConnectors:
	- connectorId: Dynamics365
	dataTypes:
	- Dynamics365Activity
	id: e147e4dc-849c-49e9-9e8b-db4581951ff4
	name: New Dynamics 365 Admin Activity
	description: \|
	'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.'
	severity: Low
	status: Available
	requiredDataConnectors:
	- connectorId: Dynamics365
	dataTypes:
	- Dynamics365Activity
	id: e3d24cfd-b2a1-4ba7-8f80-0360892f9d57
	name: SharePointFileOperation via previously unseen IPs
	description: \|
	'Shows volume of documents uploaded to or downloaded from Sharepoint by IPs with ASNs associated with high user lockout or malicious activity.
	In stable environments such connections by new IPs may be unauthorized, especially if associated with
	spikes in volume which could be associated with large-scale document exfiltration.'
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	- SigninLogs
	id: f2367171-1514-4c67-88ef-27434b6a1093
	name: SharePointFileOperation via devices with previously unseen user agents
	description: \|
	'Tracking via user agent is one way to differentiate between types of connecting device.
	In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual.'
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	- SigninLogs
	- connectorId: Office365
	id: 6fce5baf-bfc2-4c56-a6b7-9c4733fc5a45
	name: External user from a new organisation added to Teams
	description: \|
	'This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data.'
	requiredDataConnectors:
	- connectorId: Office365
	dataTypes:
	- OfficeActivity (Teams)
	tactics:
	- Persistence
	id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c
	name: External user added and removed in a short timeframe - Hunt Version
	description: \|
	'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.'
	requiredDataConnectors:
	- connectorId: Office365
	dataTypes:
	- OfficeActivity (Teams)
	tactics:
	- Persistence