Template Alignments

Defender For Identity/AccountWithPasswordNeverExpiresEnabled.md

@@ -9,7 +9,7 @@ In Windows a password can be set so that it will never expire. This is normaly n
 A account that has as password that never exprided on and it has a weak password. That makes it vulnerable for Brute Force attacks. 
 
 ## Defender XDR
-```
+```KQL
 IdentityDirectoryEvents
 | where ActionType == "Account Password Never Expires changed"
 | extend AdditionalInfo = parse_json(AdditionalFields)
@@ -25,8 +25,9 @@ IdentityDirectoryEvents
      ReportId,
      DeviceName
 ```
+
 ## Sentinel
-```
+```KQL
 IdentityDirectoryEvents
 | where ActionType == "Account Password Never Expires changed"
 | extend AdditionalInfo = parse_json(AdditionalFields)

Defender For Identity/NewLateralMovementPathToSensitiveAccountIdentified.md

@@ -9,8 +9,7 @@ Defender For Identity identifies lateral movement paths to all sensitive account
 - https://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths
 
 ## Defender XDR
-
-```
+```KQL
 IdentityDirectoryEvents
 | where ActionType == "Potential lateral movement path identified"
 | extend AdditionalInfo = parse_json(AdditionalFields)
@@ -24,8 +23,9 @@ IdentityDirectoryEvents
      AccountName,
      AccountDomain
 ```
+
 ## Sentinel
-```
+```KQL
 IdentityDirectoryEvents
 | where ActionType == "Potential lateral movement path identified"
 | extend AdditionalInfo = parse_json(AdditionalFields)

Defender For Identity/PasswordChangeAfterSuccesfulBruteForce.md

@@ -25,7 +25,7 @@ An adversary has successfully performed a brute force on an account and changes
 - https://attack.mitre.org/datasources/DS0002/#User%20Account%20Modification
 
 ## Defender XDR
-```
+```KQL
 let FailedLogonsThreshold = 20;
 let SuccessfulLogonsThreshold = 1;
 let TimeWindow = 15m;
@@ -55,8 +55,9 @@ IdentityLogonEvents
 | where TimeDifference > 0
 | where TimeDifference <= SearchWindow
 ```
+
 ## Sentinel
-```
+```KQL
 let FailedLogonsThreshold = 20;
 let SuccessfulLogonsThreshold = 1;
 let TimeWindow = 15m;

Defender For Identity/PotentialKerberosEncryptionDowngrade.md

@@ -27,7 +27,7 @@ An adversary has performed an downgrade attack to be able to perform kerberoasti
 - https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos
 
 ## Defender XDR
-```
+```KQL
 IdentityDirectoryEvents
 | where ActionType == "Account Supported Encryption Types changed"
 | extend
@@ -39,8 +39,9 @@ IdentityDirectoryEvents
 | where FromAccountSupportedEncryptionTypes != "N/A"
 | project Timestamp, DeviceName, FromAccountSupportedEncryptionTypes, ToAccountSupportedEncryptionTypes, ActorDevice, TargetDevice
 ```
+
 ## Sentinel
-```
+```KQL
 IdentityDirectoryEvents
 | where ActionType == "Account Supported Encryption Types changed"
 | extend

Defender For Identity/SMBFileCopy.md

@@ -17,8 +17,7 @@ A false positive would be a aministrator that would perform legitimate SMB file
 A actor uses a SMB file copy to distrubute malware in your environment. 
 
 ## Defender XDR
-
-```
+```KQL
 let WhitelistedAccounts = dynamic(['account1', 'account2']);
 IdentityDirectoryEvents
 | where ActionType == 'SMB file copy'
@@ -37,8 +36,9 @@ IdentityDirectoryEvents
      FileName,
      SMBFileCopyCount
 ```
+
 ## Sentinel 
-```
+```KQL
 let WhitelistedAccounts = dynamic(['account1', 'account2']);
 IdentityDirectoryEvents
 | where ActionType == 'SMB file copy'

Defender For Identity/Visualization - MostInteractiveSignInsByUser.md

@@ -6,8 +6,7 @@
 Visualize the top 100 users that have performed the most interactive sign ins.
 
 ### Defender XDR
-
-```
+```KQL
 IdentityLogonEvents
 | where LogonType == 'Interactive'
 | where isempty(FailureReason)
@@ -16,8 +15,9 @@ IdentityLogonEvents
 | top 100 by TotalUniqueInteractiveSignIns
 | render columnchart with (title="Top 100 users that have the most interactive sign ins")
 ```
+
 ### Sentinel
-```
+```KQL
 IdentityLogonEvents
 | where LogonType == 'Interactive'
 | where isempty(FailureReason)

Defender XDR/AlertSupressionAdded.md

@@ -10,16 +10,17 @@ This query lists all the supressions that have been added to Defender XDR. This
 - https://kqlquery.com/posts/audit-defender-xdr/
 
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | where Timestamp > ago(30d)
 | where ActionType == "ExclusionConfigurationAdded"
 | extend Workload = tostring(parse_json(RawEventData).Workload), ResultStatus = tostring(parse_json(RawEventData).ResultStatus), ResultDescription = tostring(parse_json(RawEventData).ResultDescription)
 | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
 | project-reorder Timestamp, Workload, ResultDescription, ResultStatus,  InitiatedByAccountName, InitiatedByAccounttId
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | where TimeGenerated > ago(30d)
 | where ActionType == "ExclusionConfigurationAdded"

Defender XDR/CustomDetectionDeletion.md

@@ -19,15 +19,16 @@ An actor has gotten access to an account that is able to delete custom detection
 - https://kqlquery.com/posts/audit-defender-xdr/
 
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | where Timestamp > ago(30d)
 | where ActionType == "DeleteCustomDetection"
 | extend RuleName = tostring(parse_json(RawEventData).RuleName), Query = tostring(parse_json(RawEventData).Query), AlertDescription = parse_json(RawEventData).AlertDescription
 | project-reorder AccountDisplayName, AccountId, RuleName, AlertDescription, Query
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | where TimeGenerated > ago(30d)
 | where ActionType == "DeleteCustomDetection"

Defender XDR/DeviceIsolation.md

@@ -10,16 +10,17 @@ This query lists all the device isolation activities that have been performed by
 - https://kqlquery.com/posts/audit-defender-xdr/
 
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | where Timestamp > ago(30d)
 | where ActionType == "IsolateDevice"
 | extend IsolatedDevice = tostring(parse_json(RawEventData).DeviceName), IsolationComment = tostring(parse_json(RawEventData).ActionComment), IsolationScope = tostring(parse_json(RawEventData).ActionScope)
 | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
 |project-reorder Timestamp, IsolatedDevice, IsolationComment, IsolationScope, InitiatedByAccountName, InitiatedByAccounttId
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | where TimeGenerated > ago(30d)
 | where ActionType == "IsolateDevice"

Defender XDR/DeviceRemovedFromIsolation.md

@@ -10,7 +10,7 @@ This query lists all the devices that are removed from isolation activities that
 - https://kqlquery.com/posts/audit-defender-xdr/
 
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | where Timestamp > ago(30d)
 | where ActionType == "ReleaseFromIsolation"
@@ -25,8 +25,9 @@ CloudAppEvents
     | project IsolationTime, IsolatedDevice, IsolationComment, IsolationScope, IsolationInitiatedByAccountName, IsoaltionInitiatedByAccounttId) on $left.ReleasedDevice == $right.IsolatedDevice
 |project-reorder Timestamp, ReleasedDevice, ReleaseComment, InitiatedByAccountName, InitiatedByAccounttId, IsolationTime, IsolationComment, IsolationScope, IsolationInitiatedByAccountName, IsoaltionInitiatedByAccounttId
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | where TimeGenerated > ago(30d)
 | where ActionType == "ReleaseFromIsolation"

Defender XDR/LiveResponseFileCollection.md

@@ -12,7 +12,7 @@ This query lists all the Getfile activities that have been executed. This includ
 - https://kqlquery.com/posts/audit-defender-xdr/
 
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | where Timestamp > ago(30d)
 | where ActionType == "LiveResponseGetFile"
@@ -21,8 +21,9 @@ CloudAppEvents
 | invoke FileProfile(SHA256, 1000)
 | project-reorder Timestamp, FileName, SHA256, InitiatedByAccountName, InitiatedByAccounttId, GlobalPrevalence, SignatureState
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | where TimeGenerated > ago(30d)
 | where ActionType == "LiveResponseGetFile"

Defender XDR/LiveResponseUnsignedPowerShellChanges.md

@@ -12,15 +12,16 @@ This query lists all changes to the Live Response Unsigned Script settings in th
 
 
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | where ActionType == "SetAdvancedFeatures"
 | extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue)
 | where SettingName == "Live Response unsigned script execution"
 | project-reorder Timestamp, AccountId, ActionType, SettingName, SettingsNewValue
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | where ActionType == "SetAdvancedFeatures"
 | extend SettingName = tostring(parse_json(RawEventData).SettingName), SettingsNewValue = tostring(parse_json(RawEventData).SettingsNewValue)

Defender XDR/ManualAntivirusScans.md

@@ -10,14 +10,15 @@ This query lists all manual (and playbook related) anvitius actions that are ini
 - https://kqlquery.com/posts/audit-defender-xdr/
 
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | where ActionType == "RunAntiVirusScan"
 | extend DeviceName = tostring(parse_json(RawEventData).DeviceName), ActionComment = tostring(parse_json(RawEventData).ActionComment), ActionScope = tostring(parse_json(RawEventData).ActionScope)
 | summarize TotalAntivirusScans = count(), ScanTypes = make_set(ActionScope), Comments = make_set(ActionComment) by DeviceName
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | where ActionType == "RunAntiVirusScan"
 | extend DeviceName = tostring(parse_json(RawEventData).DeviceName), ActionComment = tostring(parse_json(RawEventData).ActionComment), ActionScope = tostring(parse_json(RawEventData).ActionScope)

Defender XDR/OffboardingPackageDownloaded.md

@@ -18,16 +18,18 @@ An actor has gotten access to an account that is able to download an Defender Fo
 - https://learn.microsoft.com/en-us/defender-endpoint/offboard-machines
 - https://kqlquery.com/posts/audit-defender-xdr/
 
+
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | where ActionType == "DownloadOffboardingPkg"
 | extend UserId = tostring(parse_json(RawEventData).UserId), ClientIP = tostring(parse_json(RawEventData).ClientIP)
 | project-rename InitiatedByAccountName = AccountDisplayName, InitiatedByAccounttId = AccountId
 | project-reorder Timestamp, InitiatedByAccountName, UserId, ClientIP, ActionType
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | where ActionType == "DownloadOffboardingPkg"
 | extend UserId = tostring(parse_json(RawEventData).UserId), ClientIP = tostring(parse_json(RawEventData).ClientIP)

Defender XDR/RBACChanges.md

@@ -11,16 +11,17 @@ The query below can be used to monitor RBAC changes in Defender XDR. This query
 - https://kqlquery.com/posts/audit-defender-xdr/
 
 ## Defender XDR
-```
+```KQL
 CloudAppEvents
 | extend Workload = tostring(parse_json(RawEventData).Workload)
 | where Workload contains "Defender"
 | where ActionType endswith "Role"
 | extend RoleName = tostring(parse_json(RawEventData).RoleName), RolePermissions = tostring(parse_json(RawEventData).RolePermissions), AssignedGroups = tostring(parse_json(RawEventData).AssignedGroups)
 | project-reorder Timestamp, ActionType, AccountObjectId, RoleName, RolePermissions, AssignedGroups
 ```
+
 ## Sentinel
-```
+```KQL
 CloudAppEvents
 | extend Workload = tostring(parse_json(RawEventData).Workload)
 | where Workload contains "Defender"