Template Alignments

Bert-JanP · Dec 1, 2024 · c1477ab · c1477ab
1 parent 29a08f3
commit c1477ab
Show file tree

Hide file tree

Showing 10 changed files with 14 additions and 49 deletions.
diff --git a/Azure Active Directory/CloudDiscoveryByUserAtRisk.md b/Azure Active Directory/CloudDiscoveryByUserAtRisk.md
@@ -36,9 +36,4 @@ AuditLogs
 // Filter on DiscoveryEvents
 | where OperationName has_any (DiscoveryEvents)
 | project TimeGenerated, Identity, OperationName, Category, ResultDescription, Result
-```
-#### Versions
-| Version | Comment |
-| ---  | --- |
-| 1.0 | Initial commit |
-| 1.1 | addition confirmedCompromised to risk state & collect last event from risky user |
+```
diff --git a/Azure Active Directory/CloudPersistenceActivityByUserAtRisk.md b/Azure Active Directory/CloudPersistenceActivityByUserAtRisk.md
@@ -42,9 +42,4 @@ AuditLogs
 // Filter on DiscoveryEvents
 | where OperationName has_any (PersistenceEvents)
 | project TimeGenerated, Identity, OperationName, Category, ResultDescription, Result
-```
-#### Versions
-| Version | Comment |
-| ---  | --- |
-| 1.0 | Initial commit |
-| 1.1 | addition confirmedCompromised to risk state & collect last event from risky user |
+```
diff --git a/Defender For Cloud Apps/Visualization - ActionsPerformed.md b/Defender For Cloud Apps/Visualization - ActionsPerformed.md
@@ -1,14 +1,14 @@
 # Visualisation of ActionTypes that have been seen in the Cloud App logs in the last 30 days
 
-### Defender XDR
-
+## Defender XDR
 ```
 CloudAppEvents
 | where Timestamp > ago(30d)
 | summarize count() by ActionType
 | render piechart with(title="ActionTypes triggered last 30 days")
 ```
-### Sentinel
+
+## Sentinel
 ```
 CloudAppEvents
 | where TimeGenerated > ago(30d)

diff --git a/Defender For Endpoint/AnomalousSMBSessionsCreated.md b/Defender For Endpoint/AnomalousSMBSessionsCreated.md
@@ -51,13 +51,4 @@ DeviceNetworkEvents
      InitiatingProcessAccountName,
      InitiatingProcessCommandLine,
      InitiatingProcessFolderPath
-```
-
-#### Versions
-| Version | Comment |
-| ---  | --- |
-| 1.0 | Initial commit |
-| 1.1 | Timespan update |
-
-
-
+```
diff --git a/Defender For Endpoint/DevicesWithTheMostSMBSessions.md b/Defender For Endpoint/DevicesWithTheMostSMBSessions.md
@@ -35,13 +35,4 @@ DeviceNetworkEvents
 | where not(DeviceId in (AllDomainControllers)) // This is to reduce FP because of e.g. MDI, if you do not have MDI do not use this filter.
 | summarize TotalRemoteConnections = dcount(RemoteIP) by DeviceName
 | sort by TotalRemoteConnections
-```
-
-#### Versions
-| Version | Comment |
-| ---  | --- |
-| 1.0 | Initial commit |
-| 1.1 | Timespan update |
-
-
-
+```
diff --git a/Defender XDR/LiveResponseFileCollection.md b/Defender XDR/LiveResponseFileCollection.md
@@ -29,6 +29,5 @@ CloudAppEvents
 | where ActionType == "LiveResponseGetFile"
 | extend FileName = tostring(parse_json(RawEventData).FileName), FileSHA256 = tostring(parse_json(RawEventData).FileSHA256)
 | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId, SHA256 = FileSHA256
-| invoke FileProfile(SHA256, 1000)
-| project-reorder TimeGenerated, FileName, SHA256, InitiatedByAccountName, InitiatedByAccounttId, GlobalPrevalence, SignatureState
+| project-reorder TimeGenerated, FileName, SHA256, InitiatedByAccountName, InitiatedByAccounttId
 ```
diff --git a/Office 365/AnomalousAmountofURLClickEvents.md b/Office 365/AnomalousAmountofURLClickEvents.md
@@ -29,7 +29,7 @@ A user has clicked and opened a malicious link.
 - **Github: https://github.com/guys1444**
 - **LinkedIn: https://www.linkedin.com/in/guy-sukerman-2002451aa/**
 
-### Defender XDR
+## Defender XDR
 ```
 let startDate = ago(30d);
 let endDate = now();
@@ -44,7 +44,7 @@ UrlClickEvents
 | project Timestamp, ClickCount, anomalies, score, baseline
 ```
 
-### Sentinel
+## Sentinel
 ```
 let startDate = ago(30d);
 let endDate = now();

diff --git a/Office 365/Email - ExecutableFileRecieved.md b/Office 365/Email - ExecutableFileRecieved.md
@@ -48,10 +48,4 @@ EmailEvents
 // Filter on executable file extensions
 | where FileExtension in~ (ExecutableFileExtentions)
 | summarize ['Target Mailboxes'] = make_set(RecipientEmailAddress), ['Sender Addresses'] = make_set(SenderFromAddress), ['Email Subject'] = make_set(Subject) by SHA256, FileName
-```
-
-#### Versions
-| Version | Comment |
-| ---  | --- |
-| 1.0 | Initial commit |
-| 1.1 | Fix DLL in dynamic list |
+```
diff --git a/SecurityEvents/InboundAuthenticationFromPublicIP.md b/SecurityEvents/InboundAuthenticationFromPublicIP.md
@@ -23,4 +23,4 @@ SecurityEvent
 | lookup kind=leftouter (DeviceInfo
     | summarize arg_max(TimeGenerated, *) by DeviceId
     | project DeviceName = toupper(DeviceName), DeviceType, PublicIP, ExposureLevel, MachineGroup) on $left.Computer == $right.DeviceName
-```
+```
diff --git a/Threat Hunting/Behavior - TelegramC2.md b/Threat Hunting/Behavior - TelegramC2.md
@@ -20,7 +20,7 @@ An actor can use telgram as a Command & Control channel, while the attackers dis
 - https://cyware.com/news/malware-authors-leveraging-telegram-based-command-and-control-7010f17b
 - https://twitter.com/adamtheanalyst/status/1592561452803829760?s=46&t=0s88GjPSLLjtgcGdFsC9XQ
 
-### Defender XDR
+## Defender XDR
 ```KQL
 DeviceNetworkEvents
 | where RemoteUrl contains "api.telegram.org"
@@ -33,7 +33,7 @@ DeviceNetworkEvents
     InitiatingProcessAccountDomain
 ```
 
-### Sentinel
+## Sentinel
 ```KQL
 DeviceNetworkEvents
 | where RemoteUrl contains "api.telegram.org"