yaya2devops
/ DevopsCloudFacts.json
Last active
June 27, 2022 20:19
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "DevOps&Cloud Facts": [ | |
| { | |
| "quote":"DevOpsFacts!"}, | |
| { | |
| "quote":"A compound of development (Dev) and operations (Ops), DevOps is the union of people, process, and technology to continually provide value to customers.","author":"Microsoft"}, | |
| { | |
| "quote":"DevOps enables formerly siloed roles—development, IT operations, quality engineering, and security—to coordinate and collaborate to produce better, more reliable products. By adopting a DevOps culture along with DevOps practices and tools, teams gain the ability to better respond to customer needs, increase confidence in the applications they build, and achieve business goals faster.","author":"Microsoft"}, | |
| { |
yaya2devops
/ MassExportOfDynamicstoExcel.yml
Last active
January 14, 2023 14:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 05eca115-c4b5-48e4-ba6e-07db57695be2 | |
| name: Mass Export of Dynamics 365 Records to Excel | |
| description: | | |
| 'The query detects user exporting a large amount of records from Dynamics 365 to Excel, significantly more records exported than any other recent activity by that user.' | |
| severity: Medium | |
| status: Available | |
| requiredDataConnectors: | |
| - connectorId: Dynamics365 | |
| dataTypes: | |
| - Dynamics365Activity |
yaya2devops
/ NewDynamicsAdminActivity.yml
Last active
January 14, 2023 14:47
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: e147e4dc-849c-49e9-9e8b-db4581951ff4 | |
| name: New Dynamics 365 Admin Activity | |
| description: | | |
| 'Detects users conducting administrative activity in Dynamics 365 where they have not had admin rights before.' | |
| severity: Low | |
| status: Available | |
| requiredDataConnectors: | |
| - connectorId: Dynamics365 | |
| dataTypes: | |
| - Dynamics365Activity |
yaya2devops
/ new_SHAREPOINT_downloads_by_IP.yml
Last active
January 14, 2023 14:47
yaya2devops
/ new_SHAREPOINT_downloads_by_UserAgent.yml
Last active
January 14, 2023 14:47
yaya2devops
/ TEAMS_ExternalUserFromNewOrgAddedToTeams.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 6fce5baf-bfc2-4c56-a6b7-9c4733fc5a45 | |
| name: External user from a new organisation added to Teams | |
| description: | | |
| 'This query identifies external users added to Teams where the user's domain is not one previously seen in Teams data.' | |
| requiredDataConnectors: | |
| - connectorId: Office365 | |
| dataTypes: | |
| - OfficeActivity (Teams) | |
| tactics: | |
| - Persistence |
yaya2devops
/ TEAMS_ExternalUserAddedRemovedInTeams_HuntVersion.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c | |
| name: External user added and removed in a short timeframe - Hunt Version | |
| description: | | |
| 'This hunting query identifies external user accounts that are added to a Team and then removed within one hour.' | |
| requiredDataConnectors: | |
| - connectorId: Office365 | |
| dataTypes: | |
| - OfficeActivity (Teams) | |
| tactics: | |
| - Persistence |
yaya2devops
/ insider-threat-detection-queries.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 4685d7ec-8134-43ce-b579-7c31286b0bc5 | |
| name: insider-threat-detection-queries (1) | |
| description: | | |
| Intent: | |
| - Use MTP capability to look for insider threat potential risk indicators | |
| - Indicators would then serve as the building block for insider threat risk modeling in subsequent tools | |
| Definition of Insider Threat: | |
| "The potential for an individual who has or had authorized access to an organization's assets to use their access, either maliciously or unintentionally, to act in a way that could negatively affect the organization." | |
| This collection of queries describes the different indicators that could be used to model and look for patterns suggesting an increased risk of an individual becoming a potential insider threat. | |
| Note: no single indicator should be used as a lone determinant of insider threat activity, but should be part of an overall program to understand the increased risk to your organization's critical assets. This in turn is used to feed an investigation by a formal insider threat pro |
yaya2devops
/ UnusualGuestActivity.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: acc4c247-aaf7-494b-b5da-17f18863878a | |
| name: External guest invitation followed by Azure AD PowerShell signin | |
| description: | | |
| 'By default guests have capability to invite more external guest users, guests also can do suspicious Azure AD enumeration. This detection look at guests | |
| users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. | |
| Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/' | |
| severity: Medium | |
| requiredDataConnectors: | |
| - connectorId: AzureActiveDirectory | |
| dataTypes: |
yaya2devops
/ SuspiciousServicePrincipalcreationactivity.yml
Last active
January 14, 2023 14:46
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| id: 6852d9da-8015-4b95-8ecf-d9572ee0395d | |
| name: Suspicious Service Principal creation activity | |
| description: | | |
| 'This alert will detect creation of an SPN, permissions granted, credentials created, activity and deletion of the SPN in a time frame (default 10 minutes)' | |
| severity: Low | |
| requiredDataConnectors: | |
| - connectorId: AzureActiveDirectory | |
| dataTypes: | |
| - AuditLogs | |
| - AADServicePrincipalSignInLogs |
OlderNewer