forked from netevert/sentinel-attack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathazuredeploy.json
356 lines (354 loc) · 166 KB
/
azuredeploy.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"accountSasProperties": {
"type": "object",
"defaultValue": {
"signedServices": "b",
"signedPermission": "rw",
"signedExpiry": "2050-03-01T00:00:01Z",
"signedResourceTypes": "o"
}
},
"workspace_name": {
"defaultValue": "[uniqueString(resourceGroup().id)]",
"type": "String"
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]"
},
"storageAccounts_name": {
"defaultValue": "[concat(parameters('workspace_name'), 'blobstore')]",
"type": "String"
},
"workbookDisplayName": {
"type": "string",
"defaultValue": "Sysmon threat hunting workbook",
"metadata": {
"description": "The friendly name for the workbook that is used in the Gallery or Saved List. This name must be unique within a resource group."
}
},
"workbookType": {
"type": "string",
"defaultValue": "sentinel",
"metadata": {
"description": "The gallery that the workbook will been shown under. Supported values include workbook, tsg, etc. Usually, this is 'workbook'"
}
},
"workbookId": {
"type": "string",
"defaultValue": "[newGuid()]",
"metadata": {
"description": "The unique guid for this workbook instance"
}
},
"workbookSourceId": {
"type": "string",
"defaultValue": "[concat('/subscriptions/',subscription().subscriptionId,'/resourcegroups/',resourceGroup().name,'/providers/microsoft.operationalinsights/workspaces/', parameters('workspace_name'))]",
"metadata": {
"description": "The id of resource instance to which the workbook will be associated"
}
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"name": "[parameters('storageAccounts_name')]",
"location": "[parameters('location')]",
"sku": {
"name": "Standard_GRS",
"tier": "Standard"
},
"kind": "Storage",
"properties": {
"isHnsEnabled": false,
"networkAcls": {
"bypass": "AzureServices",
"virtualNetworkRules": [],
"ipRules": [],
"defaultAction": "Allow"
},
"supportsHttpsTrafficOnly": false,
"encryption": {
"services": {
"file": {
"keyType": "Account",
"enabled": true
},
"blob": {
"keyType": "Account",
"enabled": true
}
},
"keySource": "Microsoft.Storage"
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccounts_name'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_name'))]"
],
"sku": {
"name": "Standard_GRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
},
"deleteRetentionPolicy": {
"enabled": false
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/fileServices",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccounts_name'), '/default')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_name'))]"
],
"sku": {
"name": "Standard_GRS",
"tier": "Standard"
},
"properties": {
"cors": {
"corsRules": []
}
}
},
{
"type": "Microsoft.Storage/storageAccounts/blobServices/containers",
"apiVersion": "2019-06-01",
"name": "[concat(parameters('storageAccounts_name'), '/default/', parameters('workspace_name'), '-store')]",
"dependsOn": [
"[resourceId('Microsoft.Storage/storageAccounts/blobServices', parameters('storageAccounts_name'), 'default')]",
"[resourceId('Microsoft.Storage/storageAccounts', parameters('storageAccounts_name'))]"
],
"properties": {
"publicAccess": "None"
}
},
{
"type": "microsoft.operationalinsights/workspaces",
"apiVersion": "2020-03-01-preview",
"name": "[parameters('workspace_name')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"name": "PerGB2018"
},
"retentionInDays": 90,
"publicNetworkAccessForIngestion": "Enabled",
"publicNetworkAccessForQuery": "Enabled"
}
},
{
"name": "[concat('SecurityInsights','(', parameters('workspace_name'),')')]",
"type": "Microsoft.OperationsManagement/solutions",
"apiVersion": "2015-11-01-preview",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspace_name'))]"
],
"properties": {
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
},
"plan": {
"name": "[concat('SecurityInsights','(', parameters('workspace_name'),')')]",
"product": "OMSGallery/SecurityInsights",
"publisher": "Microsoft",
"promotionCode": ""
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/pipe_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "pipe_whitelist",
"query": "[concat('externaldata(host:string, process_path:string, pipe_name:string, reason:string) [h\"https://', parameters('storageAccounts_name'), '.blob.core.windows.net/', parameters('workspace_name') ,'-store/pipe_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "pipe_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/process_access_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "process_access_whitelist",
"query": "[concat('externaldata(host:string, process_path:string, target_process_path:string, process_granted_access:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/process_access_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "process_access_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/dns_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "dns_whitelist",
"query": "[concat('externaldata(host:string, process_path:string, query_name:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/dns_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "dns_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/remote_thread_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "remote_thread_whitelist",
"query": "[concat('externaldata(host:string, event_type:string, process_path:string, target_process_path:string, target_process_address:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/remote_thread_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "remote_thread_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/process_create_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "process_create_whitelist",
"query": "[concat('externaldata(host:string, user:string, process_parent_path:string, process_path:string, process_command_line:string, hash_sha256:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/process_create_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "process_create_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/Sysmon')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "Sysmon",
"query": "let timeframe = \"{time_range}\";\r\nlet EventData = Event\r\n| where Source == \"Microsoft-Windows-Sysmon\"\r\n| extend RenderedDescription = tostring(split(RenderedDescription, \":\")[0])\r\n| project TimeGenerated, Source, EventID, Computer, UserName, EventData, RenderedDescription\r\n| extend EvData = parse_xml(EventData)\r\n| extend EventDetail = EvData.DataItem.EventData.Data\r\n| project-away EventData, EvData\r\n;\r\nlet SysmonEvent1_ProcessCreate=() {\r\nlet processEvents = EventData\r\n| where EventID == 1\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"], process_path = EventDetail.[4].[\"#text\"], \r\nfile_version = EventDetail.[5].[\"#text\"], file_description = EventDetail.[6].[\"#text\"], file_product = EventDetail.[7].[\"#text\"], file_company = EventDetail.[8].[\"#text\"], file_name = EventDetail.[9].[\"#text\"], \r\nprocess_command_line = EventDetail.[10].[\"#text\"], file_directory = EventDetail.[11].[\"#text\"], user_name = EventDetail.[12].[\"#text\"], user_logon_guid = EventDetail.[13].[\"#text\"], \r\nuser_logon_id = EventDetail.[14].[\"#text\"], user_session_id = EventDetail.[15].[\"#text\"], process_integrity_level = EventDetail.[16].[\"#text\"], Hashes = EventDetail.[17].[\"#text\"], \r\nprocess_parent_guid = EventDetail.[18].[\"#text\"], process_parent_id = EventDetail.[19].[\"#text\"], process_parent_path = EventDetail.[20].[\"#text\"], process_parent_command_line = EventDetail.[21].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| parse Hashes with * 'SHA1=' hash_sha1 ',' * 'MD5=' hash_md5 ',' * 'SHA256=' hash_sha256 ',' * 'IMPHASH=' hash_imphash\r\n| project-away EventDetail, rule_name, Hashes\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent2_FileCreateTime=() {\r\nlet processEvents = EventData\r\n| where EventID == 2\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"], process_path = EventDetail.[4].[\"#text\"],\r\nfile_path = EventDetail.[5].[\"#text\"], file_creation_time = EventDetail.[6].[\"#text\"], file_previous_creation_time = EventDetail.[7].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent3_NetworkConnect=() {\r\nlet processEvents = EventData\r\n| where EventID == 3\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"], process_path = EventDetail.[4].[\"#text\"],\r\nuser_name = EventDetail.[5].[\"#text\"], network_protocol = EventDetail.[6].[\"#text\"], network_connection_initiated = EventDetail.[7].[\"#text\"], src_is_ipv6 = EventDetail.[8].[\"#text\"], src_ip = EventDetail.[9].[\"#text\"], \r\nsrc_host_name = EventDetail.[10].[\"#text\"], src_port = EventDetail.[11].[\"#text\"], src_port_name = EventDetail.[12].[\"#text\"], dst_is_ipv6 = EventDetail.[13].[\"#text\"], \r\ndst_ip = EventDetail.[14].[\"#text\"], dst_host_name = EventDetail.[15].[\"#text\"], dst_port = EventDetail.[16].[\"#text\"], dst_port_name = EventDetail.[17].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name \r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent4_ServiceStateChange=() {\r\nlet processEvents = EventData\r\n| where EventID == 4\r\n| extend event_creation_time = EventDetail.[0].[\"#text\"], service_state = EventDetail.[1].[\"#text\"], sysmon_schema = EventDetail.[2].[\"#text\"], sysmon_schema_version = EventDetail.[3].[\"#text\"]\r\n| project-away EventDetail\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent5_ProcessTerminate=() {\r\nlet processEvents = EventData\r\n| where EventID == 5\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"], process_path = EventDetail.[4].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent6_DriverLoad=() {\r\nlet processEvents = EventData\r\n| where EventID == 6\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_pathLoaded = EventDetail.[2].[\"#text\"], Hashes = EventDetail.[3].[\"#text\"],\r\ndriver_is_signed = EventDetail.[4].[\"#text\"], driver_signature = EventDetail.[5].[\"#text\"], driver_signature_status = EventDetail.[6].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| parse Hashes with * 'SHA1=' hash_sha1 ',' * 'MD5=' hash_md5 ',' * 'SHA256=' hash_sha256 ',' * 'IMPHASH=' hash_imphash\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent7_ImageLoad=() {\r\nlet processEvents = EventData\r\n| where EventID == 7\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"], process_path = EventDetail.[4].[\"#text\"],\r\nmodule_loaded = EventDetail.[5].[\"#text\"], file_version = EventDetail.[6].[\"#text\"],file_description = EventDetail.[7].[\"#text\"], file_product = EventDetail.[8].[\"#text\"], file_company = EventDetail.[9].[\"#text\"],\r\nHashes = EventDetail.[11].[\"#text\"], module_is_signed = EventDetail.[12].[\"#text\"], module_signature = EventDetail.[13].[\"#text\"], module_signature_status = EventDetail.[14].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| parse Hashes with * 'SHA1=' hash_sha1 ',' * 'MD5=' hash_md5 ',' * 'SHA256=' hash_sha256 ',' * 'IMPHASH=' hash_imphash\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent8_CreateRemoteThread=() {\r\nlet processEvents = EventData\r\n| where EventID == 8\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"],\r\nprocess_path = EventDetail.[4].[\"#text\"], target_process_guid = EventDetail.[5].[\"#text\"], target_process_id = EventDetail.[6].[\"#text\"], target_process_path = EventDetail.[7].[\"#text\"],\r\nthread_new_id = EventDetail.[8].[\"#text\"], thread_start_address = EventDetail.[9].[\"#text\"], thread_start_module = EventDetail.[10].[\"#text\"], thread_start_function = EventDetail.[11].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent9_RawAccessRead=() {\r\nlet processEvents = EventData\r\n| where EventID == 9\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"], process_path = EventDetail.[4].[\"#text\"], target_device = EventDetail.[5].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent10_ProcessAccess=() {\r\nlet processEvents = EventData\r\n| where EventID == 10\r\n| extend rule_name = EventDetail.[0].[\"#text\"],UtcTime = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"],\r\nthread_id = EventDetail.[4].[\"#text\"],process_path = EventDetail.[5].[\"#text\"], target_process_guid = EventDetail.[6].[\"#text\"], target_process_id = EventDetail.[7].[\"#text\"],\r\ntarget_process_path = EventDetail.[8].[\"#text\"],process_granted_access = EventDetail.[9].[\"#text\"], process_call_trace = EventDetail.[10].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent11_FileCreate=() {\r\nlet processEvents = EventData\r\n| where EventID == 11\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"],\r\nprocess_path = EventDetail.[4].[\"#text\"], file_name = EventDetail.[5].[\"#text\"], file_creation_time = EventDetail.[6].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent12_RegistryObjectAddDel=() {\r\nlet processEvents = EventData\r\n| where EventID == 12\r\n| extend rule_name = EventDetail.[0].[\"#text\"], EventType = EventDetail.[1].[\"#text\"], event_creation_time = EventDetail.[2].[\"#text\"], process_guid = EventDetail.[3].[\"#text\"],\r\nprocess_id = EventDetail.[4].[\"#text\"],process_path = EventDetail.[5].[\"#text\"],registry_key_path = EventDetail.[6].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent13_RegistrySetValue=() {\r\nlet processEvents = EventData\r\n| where EventID == 13\r\n| extend rule_name = EventDetail.[0].[\"#text\"], EventType = EventDetail.[1].[\"#text\"], event_creation_time = EventDetail.[2].[\"#text\"], process_guid = EventDetail.[3].[\"#text\"],\r\nprocess_id = EventDetail.[4].[\"#text\"],process_path = EventDetail.[5].[\"#text\"],registry_key_path = EventDetail.[6].[\"#text\"],registry_key_details = EventDetail.[7].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent14_RegistryObjectRename=() {\r\nlet processEvents = EventData\r\n| where EventID == 14\r\n| extend rule_name = EventDetail.[0].[\"#text\"], EventType = EventDetail.[1].[\"#text\"], event_creation_time = EventDetail.[2].[\"#text\"], process_guid = EventDetail.[3].[\"#text\"],\r\nprocess_id = EventDetail.[4].[\"#text\"],process_path = EventDetail.[5].[\"#text\"],registry_key_path = EventDetail.[6].[\"#text\"],registry_key_new_name = EventDetail.[7].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent15_FileCreateStreamHash=() {\r\nlet processEvents = EventData\r\n| where EventID == 15\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"],\r\nprocess_path = EventDetail.[4].[\"#text\"],file_name = EventDetail.[5].[\"#text\"],file_creation_time = EventDetail.[6].[\"#text\"],hash = EventDetail.[7].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent16_ConfigChange=() {\r\nlet processEvents = EventData\r\n| where EventID == 16\r\n| extend event_creation_time = EventDetail.[0].[\"#text\"], sysmon_configuration = EventDetail.[1].[\"#text\"], sysmon_configuration_hash = EventDetail.[2].[\"#text\"]\r\n| project-away EventDetail\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent17_CreateNamedPipe=() {\r\nlet processEvents = EventData\r\n| where EventID == 17\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[2].[\"#text\"], process_guid = EventDetail.[3].[\"#text\"], process_id = EventDetail.[4].[\"#text\"], pipe_name = EventDetail.[5].[\"#text\"],\r\nprocess_path = EventDetail.[6].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent18_ConnectNamedPipe=() {\r\nlet processEvents = EventData\r\n| where EventID == 18\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"], pipe_name = EventDetail.[4].[\"#text\"],\r\nprocess_path = EventDetail.[5].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent19_WMIEventFilter=() {\r\nlet processEvents = EventData\r\n| where EventID == 19\r\n| extend rule_name = EventDetail.[0].[\"#text\"], EventType = EventDetail.[1].[\"#text\"], event_creation_time = EventDetail.[2].[\"#text\"], wmi_operation = EventDetail.[3].[\"#text\"],\r\nuser_name = EventDetail.[4].[\"#text\"],wmi_namespace = EventDetail.[5].[\"#text\"],wmi_filter_name = EventDetail.[6].[\"#text\"],wmi_query = EventDetail.[7].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent20_WMIEventConsumer=() {\r\nlet processEvents = EventData\r\n| where EventID == 20\r\n| extend rule_name = EventDetail.[0].[\"#text\"], EventType = EventDetail.[1].[\"#text\"], event_creation_time = EventDetail.[2].[\"#text\"], wmi_operation = EventDetail.[3].[\"#text\"],\r\nuser_name = EventDetail.[4].[\"#text\"],wmi_consumer_name = EventDetail.[5].[\"#text\"],wmi_consumer_type = EventDetail.[6].[\"#text\"],wmi_consumer_destination = EventDetail.[7].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent21_WMIEventConsumerToFilter=() {\r\nlet processEvents = EventData\r\n| where EventID == 21\r\n| extend rule_name = EventDetail.[0].[\"#text\"], EventType = EventDetail.[1].[\"#text\"], event_creation_time = EventDetail.[2].[\"#text\"], wmi_operation = EventDetail.[3].[\"#text\"],\r\nuser_name = EventDetail.[4].[\"#text\"],wmi_consumer_path = EventDetail.[5].[\"#text\"],Type = EventDetail.[6].[\"#text\"],wmi_filter_path = EventDetail.[7].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\nlet SysmonEvent22_DNSEvents=() {\r\nlet processEvents = EventData\r\n| where EventID == 22\r\n| extend rule_name = EventDetail.[0].[\"#text\"], event_creation_time = EventDetail.[1].[\"#text\"], process_guid = EventDetail.[2].[\"#text\"], process_id = EventDetail.[3].[\"#text\"],\r\ndns_query_name = EventDetail.[4].[\"#text\"],dns_query_status = EventDetail.[5].[\"#text\"],dns_query_results = EventDetail.[6].[\"#text\"],process_path = EventDetail.[7].[\"#text\"]\r\n| parse rule_name with * 'technique_id=' technique_id ',' * 'technique_name=' technique_name ',' * 'phase_name=' phase_name\r\n| project-away EventDetail, rule_name\r\n;\r\nprocessEvents;\r\n};\r\n(union isfuzzy=true\r\nSysmonEvent1_ProcessCreate,SysmonEvent2_FileCreateTime,SysmonEvent3_NetworkConnect,SysmonEvent4_ServiceStateChange,SysmonEvent5_ProcessTerminate,\r\nSysmonEvent6_DriverLoad,SysmonEvent7_ImageLoad,SysmonEvent8_CreateRemoteThread,SysmonEvent9_RawAccessRead,SysmonEvent10_ProcessAccess,\r\nSysmonEvent11_FileCreate,SysmonEvent12_RegistryObjectAddDel,SysmonEvent14_RegistryObjectRename,\r\nSysmonEvent15_FileCreateStreamHash,SysmonEvent16_ConfigChange,SysmonEvent17_CreateNamedPipe,SysmonEvent18_ConnectNamedPipe,\r\nSysmonEvent19_WMIEventFilter,SysmonEvent20_WMIEventConsumer,SysmonEvent21_WMIEventConsumerToFilter,SysmonEvent22_DNSEvents)\r\n",
"functionAlias": "Sysmon",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/file_access_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "file_access_whitelist",
"query": "[concat('externaldata(technique_id:string, host:string, process_path:string, file_path:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/file_access_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "file_access_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/network_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "network_whitelist",
"query": "[concat('externaldata(host:string, user_name:string, process_path:string, src_ip:string, dst_ip:string, dst_port:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/network_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "network_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/image_load_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "image_load_whitelist",
"query": "[concat('externaldata(host:string, process_path:string, driver_loaded:string, driver_is_signed:string, driver_signature:string, driver_signature_status:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/image_load_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "image_load_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/file_create_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "file_create_whitelist",
"query": "[concat('externaldata(host:string, file_name:string, file_path:string, process_path:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/file_create_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "file_create_whitelist",
"version": 2
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-03-01-preview",
"name": "[concat(parameters('workspace_name'), '/registry_whitelist')]",
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace_name'))]"
],
"properties": {
"category": "sentinel-attack",
"displayName": "registry_whitelist",
"query": "[concat('externaldata(host:string, event_type:string, process_path:string, registry_key_path:string, registry_key_details:string, reason:string) [h\"https://',parameters('storageAccounts_name'),'.blob.core.windows.net/', parameters('workspace_name') ,'-store/registry_whitelist.csv?', listAccountSas(parameters('storageAccounts_name'), '2018-07-01', parameters('accountSasProperties')).accountSasToken,'\"] with (ignoreFirstRecord=true)\n')]",
"functionAlias": "registry_whitelist",
"version": 2
}
},
{
"name": "[parameters('workbookId')]",
"type": "microsoft.insights/workbooks",
"location": "[resourceGroup().location]",
"apiVersion": "2018-06-17-preview",
"dependsOn": [],
"kind": "shared",
"properties": {
"displayName": "[parameters('workbookDisplayName')]",
"serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This workbook provides drill-down dashboards to aid the execution of threat hunts targeting Sysmon data mapped to MITRE ATT&CK.\\n\\nThis workbook is written by [Edoardo Gerosa](https://twitter.com/netevert).\\nFor guidance consult [Sentinel ATT&CK's documentation](https://github.com/BlueTeamToolkit/sentinel-attack) or contact [the author](https://twitter.com/netevert). For bug submissions please [open an issue](https://github.com/BlueTeamToolkit/sentinel-attack/issues) on GitHub.\"},\"name\":\"text - 2\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"cellValue\":\"navigation_value\",\"linkTarget\":\"parameter\",\"linkLabel\":\"ATT&CK trigger overview\",\"subTarget\":\"1\",\"style\":\"link\"},{\"cellValue\":\"navigation_value\",\"linkTarget\":\"parameter\",\"linkLabel\":\"ATT&CK drilldown\",\"subTarget\":\"2\",\"style\":\"link\"},{\"cellValue\":\"navigation_value\",\"linkTarget\":\"parameter\",\"linkLabel\":\"User drilldown\",\"subTarget\":\"3\",\"style\":\"link\"},{\"cellValue\":\"navigation_value\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Network connection drilldown\",\"subTarget\":\"6\",\"style\":\"link\"},{\"cellValue\":\"navigation_value\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Computer drilldown\",\"subTarget\":\"4\",\"style\":\"link\"},{\"cellValue\":\"navigation_value\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Process GUID drilldown\",\"subTarget\":\"5\",\"style\":\"link\"},{\"cellValue\":\"navigation_value\",\"linkTarget\":\"parameter\",\"linkLabel\":\"File create drilldown\",\"subTarget\":\"7\",\"style\":\"link\"},{\"cellValue\":\"navigation_value\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Pipe name drilldown\",\"subTarget\":\"8\",\"style\":\"link\"}]},\"name\":\"navigation-tabs\",\"styleSettings\":{\"showBorder\":true}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab provides an overview of ATT&CK triggers within a selected time range. Edit the `Time Range` and `Time Interval` below to select a time range and interval. Please note that all tables below report data for non-whitelisted Sysmon events. Consult [this documentation](https://github.com/BlueTeamLabs/sentinel-attack/wiki/Trigger-overview-tab) for additional information.\"},\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b845def6-6de9-421d-a160-fb4828df0d9c\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Range\",\"label\":\"Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":3600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}},{\"id\":\"be99fc46-1c82-459b-8053-85d83936b346\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Time_Interval\",\"label\":\"Time Interval\",\"type\":2,\"isRequired\":true,\"query\":\"datatable(key:string, value:string)\\r\\n[\\r\\n\\\"1m\\\", \\\"1 minute\\\",\\r\\n\\\"5m\\\", \\\"5 minutes\\\",\\r\\n\\\"15m\\\", \\\"15 minutes\\\",\\r\\n\\\"30m\\\", \\\"30 minutes\\\",\\r\\n\\\"1h\\\", \\\"1 hour\\\"\\r\\n]\",\"value\":\"15m\",\"typeSettings\":{\"additionalResourceOptions\":[]},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\r\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\r\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\r\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\r\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\r\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\r\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\r\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\r\\nSysmon\\r\\n| where TimeGenerated {Time_Range:query}\\r\\n| where isnotempty(phase_name)\\r\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\r\\n| summarize count() by phase_name\",\"size\":4,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"phase_name\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\",\"showIcon\":true},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"showBorder\":false}},\"name\":\"query - 0\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\r\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\r\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\r\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\r\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\r\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\r\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\r\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\r\\nSysmon\\r\\n| where TimeGenerated {Time_Range:query}\\r\\n| where isnotempty(technique_id)\\r\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\r\\n| summarize count() by technique_id, technique_name, phase_name\\r\\n| sort by count_ desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Top triggered techniques within selected time range\",\"timeContext\":{\"durationMs\":3600000},\"timeContextFromParameter\":\"Time_Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\",\"showIcon\":true}}],\"labelSettings\":[{\"columnId\":\"technique_id\",\"label\":\"Technique ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique Name\"},{\"columnId\":\"phase_name\",\"label\":\"Phase Name\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"query - 4\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\r\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\r\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\r\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\r\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\r\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\r\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\r\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\r\\nSysmon\\r\\n| where TimeGenerated {Time_Range:query}\\r\\n| where isnotempty(Computer)\\r\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\r\\n| summarize count() by Computer, UserName\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top triggered Computers within selected time range\",\"timeContext\":{\"durationMs\":3600000},\"timeContextFromParameter\":\"Time_Range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\",\"showIcon\":true,\"aggregation\":\"Sum\"}}],\"labelSettings\":[{\"columnId\":\"UserName\",\"label\":\"User Name\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"query - 6\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\r\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\r\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\r\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\r\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\r\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\r\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\r\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\r\\nlet min_t = toscalar(Sysmon | summarize min({Time_Range:start}));\\r\\nlet max_t = toscalar(Sysmon | summarize max({Time_Range:end}));\\r\\nSysmon\\r\\n| where isnotempty(phase_name)\\r\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\r\\n| make-series num=count() default=0 on TimeGenerated in range(min_t, max_t, {Time_Interval:value}) by phase_name\",\"size\":1,\"title\":\"Overview of ATT&CK tactics triggered over time range by selected time interval\",\"timeContext\":{\"durationMs\":3600000},\"timeContextFromParameter\":\"Time_Range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"name\":\"query - 7\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}}]},\"conditionalVisibility\":{\"parameterName\":\"navigation_value\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"trigger-overview-group\",\"styleSettings\":{\"progressStyle\":\"squares\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"The tab provides insights into all ATT&CK triggers registered within the selected timespan. More importantly the data in this tab helps to drill down into Sysmon logs by filtering by ATT&CK tactics, techniques, technique ID and excluded hosts. Consult [this documentation](https://github.com/BlueTeamLabs/sentinel-attack/wiki/ATT&CK-drilldown-tab) for additional information.\"},\"name\":\"intro-text\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"e7936a65-94c9-40a1-8d5f-e8ef336007a1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Timespan\",\"type\":4,\"description\":\"Selects the time range for the drilldown\",\"isRequired\":true,\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"resourceType\":\"microsoft.insights/components\"},{\"id\":\"e1b35895-cd18-4ca9-a54d-4646445159bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"tactic\",\"label\":\"ATT&CK tactic\",\"type\":2,\"description\":\"The ATT&CK tactic to target during the drilldown analysis\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Sysmon\\r\\n| where isnotempty(phase_name)\\r\\n| summarize by phase_name\",\"value\":[\"Defense Evasion\",\"Persistence\",\"Execution\",\"Defense Evasion, Execution,phase_name=Execution\",\"Privilege Escalation\",\"Lateral Movement\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"e54e76ab-79bf-47b6-bae1-69e8a0239774\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"technique\",\"label\":\"ATT&CK technique\",\"type\":2,\"description\":\"The ATT&CK technique to target during the drilldown analysis\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Sysmon\\r\\n| where isnotempty(technique_name)\\r\\n| summarize by technique_name\",\"value\":[\"Masquerading\",\"Install Root Certificate\",\"Windows Management Instrumentation\",\"Scheduled Task\",\"Regsvr32\",\"DLL Side-Loading\",\"Indirect Command Execution\",\"Command-Line Interface\",\"Modify Existing Service\",\"Bypass User Account Control\",\"Remote Services\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"86e49edd-28ea-4a60-aae3-32e2d6d4b880\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"technique_id_value\",\"label\":\"ATT&CK technique ID\",\"type\":2,\"description\":\"The ATT&CK technique ID to target during the drilldown analysis\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Sysmon\\r\\n| where isnotempty(technique_id)\\r\\n| summarize by technique_id\",\"value\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"494f5101-a136-4622-89bc-6dcd6983eeac\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"excluded_host\",\"label\":\"Exclude host\",\"type\":2,\"description\":\"The hosts to exclude during the drilldown analysis\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"Sysmon\\r\\n| summarize by Computer\",\"value\":[],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"search-parameters\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let host_whitelist = process_create_whitelist | project host;\\r\\nlet user_whitelist = process_create_whitelist | project user;\\r\\nlet process_ppath_whitelist = process_create_whitelist | project process_parent_path;\\r\\nlet process_path_whitelist = process_create_whitelist | project process_path;\\r\\nlet command_line_whitelist = process_create_whitelist | project replace(\\\"'\\\", \\\"\\\", replace('\\\"', '', process_command_line));\\r\\nlet hash_whitelist = process_create_whitelist | project hash_sha256;\\r\\nSysmon \\r\\n| where EventID == 1\\r\\n| where isnotempty(technique_name)\\r\\n| where phase_name in ({tactic})\\r\\n| where technique_name in ({technique})\\r\\n| where technique_id in ({technique_id_value})\\r\\n| where Computer !in ({excluded_host})\\r\\n| where process_parent_path !in~ (process_ppath_whitelist) and process_path !in~ (process_path_whitelist) and replace('\\\"', '', tostring(process_command_line)) !in~ (command_line_whitelist) and hash_sha256 !in~ (hash_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process create (not whitelisted)\",\"noDataMessage\":\"No process create events matching ATT&CK techniques for given timespan and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_parent_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"user_name\",\"label\":\"User\"},{\"columnId\":\"process_parent_path\",\"label\":\"Process parent path\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"Original file name\"},{\"columnId\":\"process_parent_command_line\",\"label\":\"Process parent commandline\"},{\"columnId\":\"process_command_line\",\"label\":\"Process commandline\"},{\"columnId\":\"process_parent_guid\",\"label\":\"Process parent GUID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"hash_sha256\",\"label\":\"SHA256\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_parent_id\",\"label\":\"Process parent ID\"}]}},\"name\":\"process-create-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = process_access_whitelist | project process_path;\\r\\nlet target_process_path_whitelist = process_access_whitelist | project target_process_path;\\r\\nlet process_granted_access_whitelist = process_access_whitelist | project process_granted_access;\\r\\nSysmon \\r\\n| where EventID == 10\\r\\n| where isnotempty(technique_name)\\r\\n| where phase_name in ({tactic})\\r\\n| where technique_name in ({technique})\\r\\n| where technique_id in ({technique_id_value})\\r\\n| where Computer !in ({excluded_host})\\r\\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist) and process_granted_access !in~ (process_granted_access_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process access (not whitelisted)\",\"noDataMessage\":\"No process access events matching ATT&CK techniques for given timespan and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"target_process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"target_process_path\",\"label\":\"Target process path\"},{\"columnId\":\"process_granted_access\",\"label\":\"Process granted access\"},{\"columnId\":\"target_process_guid\",\"label\":\"Target process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"target_process_id\",\"label\":\"Target process ID\"}]}},\"name\":\"process-access-query \",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file_name_whitelist = file_create_whitelist | project file_name;\\r\\nlet file_path_whitelist = file_create_whitelist | project file_path;\\r\\nlet proc_path_whitelist = file_create_whitelist | project process_path;\\r\\nSysmon \\r\\n| where EventID == 11\\r\\n| where isnotempty(technique_name)\\r\\n| where phase_name in ({tactic})\\r\\n| where technique_name in ({technique})\\r\\n| where technique_id in ({technique_id_value})\\r\\n| where Computer !in ({excluded_host})\\r\\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"File created (not whitelisted)\",\"noDataMessage\":\"No file created events matching ATT&CK techniques for given timespan and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File name\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"}]}},\"name\":\"file-create-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path__whitelist = image_load_whitelist | project process_path;\\r\\nlet driver_loaded_whitelist = image_load_whitelist | project driver_loaded;\\r\\nlet driver_signed_whitelist = image_load_whitelist | project driver_is_signed;\\r\\nlet drv_signature_whitelist = image_load_whitelist | project driver_signature;\\r\\nlet signat_status_whitelist = image_load_whitelist | project driver_signature_status;\\r\\nSysmon \\r\\n| where EventID == 7\\r\\n| where isnotempty(technique_name)\\r\\n| where phase_name in ({tactic})\\r\\n| where technique_name in ({technique})\\r\\n| where technique_id in ({technique_id_value})\\r\\n| where Computer !in ({excluded_host})\\r\\n| where process_path !in~ (process_path__whitelist) and module_loaded !in~ (driver_loaded_whitelist) and module_is_signed !in~ (driver_signed_whitelist) and module_signature !in~ (drv_signature_whitelist) and module_signature_status !in~ (signat_status_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Image loaded (not whitelisted)\",\"noDataMessage\":\"No image loaded events matching ATT&CK techniques for given timespan and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"module_loaded\",\"label\":\"Driver loaded\"},{\"columnId\":\"module_is_signed\",\"label\":\"Driver is signed\"},{\"columnId\":\"module_signature\",\"label\":\"Driver signature\"},{\"columnId\":\"module_signature_status\",\"label\":\"Driver signature status\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"name\":\"image-loaded-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = network_whitelist | project process_path;\\r\\nlet src_ip_whitelist = network_whitelist | project src_ip;\\r\\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\\r\\nlet dst_port_whitelist = network_whitelist | project dst_port;\\r\\nSysmon \\r\\n| where EventID == 3\\r\\n| where isnotempty(technique_name)\\r\\n| where phase_name in ({tactic})\\r\\n| where technique_name in ({technique})\\r\\n| where technique_id in ({technique_id_value})\\r\\n| where Computer !in ({excluded_host})\\r\\n| where process_path !in~ (process_path_whitelist) and src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist) and dst_port !in~ (dst_port_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network connection (not whitelisted)\",\"noDataMessage\":\"No network connection events matching ATT&CK techniques for given timespan and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"user_name\",\"label\":\"User\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"src_ip\",\"label\":\"Source IP\"},{\"columnId\":\"dst_ip\",\"label\":\"Destination IP\"},{\"columnId\":\"dst_port\",\"label\":\"Destination port\"},{\"columnId\":\"src_host_name\",\"label\":\"Source host name\"},{\"columnId\":\"dst_host_name\",\"label\":\"Destination host name\"}]}},\"name\":\"netwrok-connection-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let event_type_whitelist = registry_whitelist | project event_type;\\r\\nlet process_path_whitelist = registry_whitelist | project process_path;\\r\\nlet registry_key_path_whitelist = registry_whitelist | project registry_key_path;\\r\\nSysmon \\r\\n| where EventID == 12\\r\\n| where isnotempty(technique_name)\\r\\n| where phase_name in ({tactic})\\r\\n| where technique_name in ({technique})\\r\\n| where technique_id in ({technique_id_value})\\r\\n| where Computer !in ({excluded_host})\\r\\n| where process_path !in~ (process_path_whitelist) and EventType !in~ (event_type_whitelist) and registry_key_path !in~ (registry_key_path_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, EventType, Computer, process_path, process_id, process_guid, registry_key_path\",\"size\":0,\"showAnalytics\":true,\"title\":\"Registry access (not whitelisted)\",\"noDataMessage\":\"No registry access events matching ATT&CK techniques for given timespan and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"EventType\",\"label\":\"Event type\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"registry_key_path\",\"label\":\"Registry key path\"}]}},\"name\":\"registry-access-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = pipe_whitelist | project process_path;\\r\\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\\r\\nSysmon \\r\\n| where EventID == 17 or EventID == 18\\r\\n| where isnotempty(technique_name)\\r\\n| where phase_name in ({tactic})\\r\\n| where technique_name in ({technique})\\r\\n| where technique_id in ({technique_id_value})\\r\\n| where Computer !in ({excluded_host})\\r\\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Pipes (not whitelisted)\",\"noDataMessage\":\"No pipe created or connected events matching ATT&CK techniques for given timespan and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"pipe_name\",\"label\":\"Pipe name\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"}]}},\"name\":\"pipes-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let host_whitelist = dns_whitelist | project host;\\r\\nlet process_whitelist = dns_whitelist | project process_path;\\r\\nlet query_whitelist = dns_whitelist | project query_name;\\r\\nSysmon \\r\\n| where EventID == 22\\r\\n| where isnotempty(technique_name)\\r\\n| where phase_name in ({tactic})\\r\\n| where technique_name in ({technique})\\r\\n| where technique_id in ({technique_id_value})\\r\\n| where Computer !in ({excluded_host})\\r\\n| where Computer !in~ (host_whitelist) or process_path !in~ (process_whitelist) or dns_query_name !in~ (query_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, dns_query_name, dns_query_status, dns_query_results, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS (not whitelisted)\",\"noDataMessage\":\"No DNS events matching ATT&CK techniques for given timespan and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"dns_query_name\",\"label\":\"DNS query name\"},{\"columnId\":\"dns_query_status\",\"label\":\"DNS query status\"},{\"columnId\":\"dns_query_results\",\"label\":\"DNS query results\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"name\":\"dns-query\"}]},\"conditionalVisibility\":{\"parameterName\":\"navigation_value\",\"comparison\":\"isEqualTo\",\"value\":\"2\"},\"name\":\"attack-drilldown-group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab provides insights into all user activity logged within the specified timespan. The data covered in this tab isn't limited just to Sysmon logs generated by the selected user but also takes into account Windows Security Log Events to highlight suspicious user activity. Consult [this documentation](https://github.com/BlueTeamLabs/sentinel-attack/wiki/User-drilldown-tab) for additional information.\\n\\n**Note:** All data in this workbook excludes whitelisted events.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"1e71dd48-a0e4-44df-bd9e-1d40e8fd5691\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_span\",\"label\":\"Timespan\",\"type\":4,\"description\":\"Selects time range of the drilldown\",\"isRequired\":true,\"value\":{\"durationMs\":172800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"resourceType\":\"microsoft.insights/components\"},{\"id\":\"4963c841-91ea-4077-98a4-56e8130a4927\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"user_name_value\",\"label\":\"User name\",\"type\":2,\"description\":\"Selects the username to target during drilldown\",\"isRequired\":true,\"query\":\"Sysmon\\r\\n| where isnotempty(technique_name)\\r\\n| summarize by UserName\",\"value\":\"NT AUTHORITY\\\\SYSTEM\",\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\nSysmon\\n| where UserName contains @\\\"{user_name_value}\\\"\\n| where isnotempty(technique_name)\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\n| summarize count() by technique_name, bin(TimeGenerated, 1h)\",\"size\":1,\"showAnalytics\":true,\"title\":\"User activity by technique\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\"},\"name\":\"user-activity-by-technique-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\r\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\r\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\r\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\r\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\r\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\r\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\r\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\r\\nSysmon\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\r\\n| summarize c=count() by Computer, UserName\\r\\n| sort by c desc\\r\\n| project Computer, UserName, c\",\"size\":0,\"showAnalytics\":true,\"title\":\"User activity by host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"c\",\"formatter\":3,\"formatOptions\":{\"palette\":\"green\",\"showIcon\":true,\"aggregation\":\"Count\"}},{\"columnMatch\":\"count_\",\"formatter\":9,\"formatOptions\":{\"palette\":\"green\",\"showIcon\":true}}],\"labelSettings\":[{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User name\"},{\"columnId\":\"c\",\"label\":\"ATT&CK Events\"}]}},\"customWidth\":\"50\",\"name\":\"user-activity-by-host-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where (EventID == 4771 and FailureReason != 0x19) or EventID == 4625\\r\\n| where Account contains split(@\\\"{user_name_value}\\\", @\\\"\\\\\\\")[1]\\r\\n| summarize count() by bin(TimeGenerated, 1d)\",\"size\":0,\"showAnalytics\":true,\"title\":\"Authentication Failures over time\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\",\"tileSettings\":{\"showBorder\":false,\"titleContent\":{\"columnMatch\":\"Computer\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}}}},\"customWidth\":\"50\",\"name\":\"failed-authentications-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where (EventID == 4771 and FailureReason != 0x19) or EventID == 4624\\r\\n| summarize count() by Account, Computer\\r\\n| project Account, Computer\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Authentication failures by user and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"graph\",\"tileSettings\":{\"showBorder\":false},\"graphSettings\":{\"type\":2,\"topContent\":{\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"centerContent\":{\"columnMatch\":\"Account\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true},\"tooltipFormat\":{\"tooltip\":\"User account\"}},\"hivesContent\":{\"columnMatch\":\"Computer\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true},\"numberFormat\":{\"unit\":0,\"options\":{\"style\":\"decimal\"}}},\"nodeIdField\":\"Account\",\"targetIdField\":\"Computer\",\"edgeLabel\":\"Account\",\"nodeSize\":null,\"staticNodeSize\":150,\"colorSettings\":{\"nodeColorField\":\"Account\",\"type\":1,\"colorPalette\":\"cool\"},\"groupByField\":\"Computer\",\"hivesMargin\":5}},\"customWidth\":\"50\",\"name\":\"authentication-failures-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID == 4624\\r\\n| summarize count() by Account, Computer, LogonType\\r\\n| project Account, Computer, LogonType\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Authentication success by user and host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"graph\",\"graphSettings\":{\"type\":2,\"topContent\":{\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"centerContent\":{\"columnMatch\":\"Account\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true},\"tooltipFormat\":{\"tooltip\":\"User account\"}},\"bottomContent\":{\"columnMatch\":\"LogonType\",\"formatter\":12,\"formatOptions\":{\"showIcon\":true},\"tooltipFormat\":{\"tooltip\":\"Logon type\"}},\"hivesContent\":{\"columnMatch\":\"Computer\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"nodeIdField\":\"Account\",\"nodeSize\":null,\"staticNodeSize\":150,\"colorSettings\":{\"nodeColorField\":\"Account\",\"type\":1,\"colorPalette\":\"pastel\"},\"groupByField\":\"Computer\",\"hivesMargin\":5}},\"customWidth\":\"50\",\"name\":\"Authentication-successes-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID == 4720\",\"size\":0,\"showAnalytics\":true,\"title\":\"EventID 4720 - SA Accounts are excluded\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"eventid-4720-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID == 4722\",\"size\":0,\"showAnalytics\":true,\"title\":\"EventID 4722 - SA and Computer Accounts are excluded\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"40\",\"name\":\"eventid-4722-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID == 4726\",\"size\":0,\"showAnalytics\":true,\"title\":\"EventID 4726 - SA and Computer Accounts are excluded\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"30\",\"name\":\"eventid-4726-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where (EventID==4720 or EventID==4738 or EventID==4728 or EventID==4732 or EventID==4746 or EventID==4751 or EventID==4756 or EventID==4761)\",\"size\":0,\"showAnalytics\":true,\"title\":\"Accounts Created or Changed and Added to Group\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"accounts-created-or-changed-and-added-to-group-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where (EventID==4738 or EventID==4729 or EventID==4733 or EventID==4747 or EventID==4752 or EventID==4756 or EventID==4762) and Account contains @\\\"{user_name_value}\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Accounts Changed and Removed from Group(s)\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"accounts-changed-and-removed-from-groups-query \",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID==4740 and Account contains @\\\"{user_name_value}\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Accounts Locked Out\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"accounts-locked-out-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID==4767 and Account contains @\\\"{user_name_value}\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Accounts Unlocked\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"accounts-unlocked-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID==4725 and Account contains @\\\"{user_name_value}\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Accounts Disabled\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"accounts-disabled-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID==4781 and Account contains @\\\"{user_name_value}\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Accounts Renamed\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"accounts-renamed-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID==4723 and Account contains @\\\"{user_name_value}\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Accounts Password Changed by user\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"accounts-password-changed-by-user-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"SecurityEvent\\r\\n| where EventID==4724 and Account contains @\\\"{user_name_value}\\\"\",\"size\":0,\"showAnalytics\":true,\"title\":\"Account Password Change by administrator\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"account-password-change-by-administrator-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_ppath_whitelist = process_create_whitelist | project process_parent_path;\\r\\nlet process_path_whitelist = process_create_whitelist | project process_path;\\r\\nlet command_line_whitelist = process_create_whitelist | project replace(\\\"'\\\", \\\"\\\", replace('\\\"', '', process_command_line));\\r\\nlet hash_whitelist = process_create_whitelist | project hash_sha256;\\r\\nSysmon\\r\\n| where RenderedDescription contains \\\"Process create\\\" and UserName == @\\\"{user_name_value}\\\"\\r\\n| where process_parent_path !in~ (process_ppath_whitelist) and process_path !in~ (process_path_whitelist) and replace('\\\"', '', tostring(process_command_line)) !in~ (command_line_whitelist) and hash_sha256 !in~ (hash_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process Create\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_parent_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"process_parent_path\",\"label\":\"Process parent path\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File name\"},{\"columnId\":\"process_parent_command_line\",\"label\":\"Process parent command line\"},{\"columnId\":\"process_command_line\",\"label\":\"Process command line\"},{\"columnId\":\"process_parent_guid\",\"label\":\"Process parent GUID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"hash_sha256\",\"label\":\"Hash SHA256\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_parent_id\",\"label\":\"Process parent ID\"}]}},\"name\":\"process-create-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = process_access_whitelist | project process_path;\\r\\nlet target_process_path_whitelist = process_access_whitelist | project target_process_path;\\r\\nlet process_granted_access_whitelist = process_access_whitelist | project process_granted_access;\\r\\nSysmon\\r\\n| where RenderedDescription contains \\\"Process access\\\" and UserName == @\\\"{user_name_value}\\\"\\r\\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist) and process_granted_access !in~ (process_granted_access_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process Access\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"target_process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"target_process_path\",\"label\":\"Target process path\"},{\"columnId\":\"process_granted_access\",\"label\":\"Process granted access\"},{\"columnId\":\"target_process_guid\",\"label\":\"Target pürocess GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"target_process_id\",\"label\":\"Target process ID\"}]}},\"name\":\"process-access-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file_name_whitelist = file_create_whitelist | project file_name;\\r\\nlet file_path_whitelist = file_create_whitelist | project file_path;\\r\\nlet proc_path_whitelist = file_create_whitelist | project process_path;\\r\\nSysmon\\r\\n| where RenderedDescription contains \\\"File create\\\" and UserName == @\\\"{user_name_value}\\\"\\r\\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"File Created\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File name\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"}]}},\"name\":\"file-created-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path__whitelist = image_load_whitelist | project process_path;\\r\\nlet driver_loaded_whitelist = image_load_whitelist | project driver_loaded;\\r\\nlet driver_signed_whitelist = image_load_whitelist | project driver_is_signed;\\r\\nlet drv_signature_whitelist = image_load_whitelist | project driver_signature;\\r\\nlet signat_status_whitelist = image_load_whitelist | project driver_signature_status;\\r\\nSysmon\\r\\n| where RenderedDescription contains \\\"Image loaded\\\" and UserName == @\\\"{user_name_value}\\\"\\r\\n| where process_path !in~ (process_path__whitelist) and module_loaded !in~ (driver_loaded_whitelist) and module_is_signed !in~ (driver_signed_whitelist) and module_signature !in~ (drv_signature_whitelist) and module_signature_status !in~ (signat_status_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Image Loaded\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"module_loaded\",\"label\":\"Module loaded\"},{\"columnId\":\"module_is_signed\",\"label\":\"Module is signed\"},{\"columnId\":\"module_signature\",\"label\":\"Module signature\"},{\"columnId\":\"module_signature_status\",\"label\":\"Module signature status\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"name\":\"image-loaded-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = network_whitelist | project process_path;\\r\\nlet src_ip_whitelist = network_whitelist | project src_ip;\\r\\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\\r\\nlet dst_port_whitelist = network_whitelist | project dst_port;\\r\\nSysmon\\r\\n| where RenderedDescription contains \\\"Network connect\\\" and UserName == @\\\"{user_name_value}\\\"\\r\\n| where process_path !in~ (process_path_whitelist) and src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist) and dst_port !in~ (dst_port_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network Connection\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"src_ip\",\"label\":\"Source IP\"},{\"columnId\":\"dst_ip\",\"label\":\"Destination IP\"},{\"columnId\":\"dst_port\",\"label\":\"Destination port\"},{\"columnId\":\"src_host_name\",\"label\":\"Source hostname\"},{\"columnId\":\"dst_host_name\",\"label\":\"Destination hostname\"}]}},\"name\":\"network-connection-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = remote_thread_whitelist | project process_path;\\r\\nlet target_process_path_whitelist = remote_thread_whitelist | project target_process_path;\\r\\nSysmon\\r\\n| where EventID == 8 and UserName == @\\\"{user_name_value}\\\"\\r\\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, target_process_path, thread_new_id, process_guid, process_parent_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Create Remote Thread\",\"noDataMessage\":\"No create remote thread events for selected time generated\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"create-remote-thread-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let event_type_whitelist = registry_whitelist | project event_type;\\r\\nlet process_path_whitelist = registry_whitelist | project process_path;\\r\\nlet registry_key_path_whitelist = registry_whitelist | project registry_key_path;\\r\\nSysmon\\r\\n| where EventID == 12 and UserName == @\\\"{user_name_value}\\\"\\r\\n| where process_path !in~ (process_path_whitelist) and EventType !in~ (event_type_whitelist) and registry_key_path !in~ (registry_key_path_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, process_id, process_guid, registry_key_path\",\"size\":0,\"showAnalytics\":true,\"title\":\"Registry Access\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"registry_key_path\",\"label\":\"Registry key path\"}]}},\"name\":\"registry-access-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = pipe_whitelist | project process_path;\\r\\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\\r\\nSysmon\\r\\n| where (EventID == 17 or EventID==18) and UserName == @\\\"{user_name_value}\\\"\\r\\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Pipes\",\"noDataMessage\":\"No pipe create and connect events for selected time and user\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_span\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"pipes-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}}]},\"conditionalVisibility\":{\"parameterName\":\"navigation_value\",\"comparison\":\"isEqualTo\",\"value\":\"3\"},\"name\":\"user-drilldown-group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab provides an overview of all triggers observed for the selected virtual machine (host) within the specified timespan. Consult [this documentation](https://github.com/BlueTeamLabs/sentinel-attack/wiki/Computer-drilldown-tab) for additional information.\"},\"name\":\"text - 11\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"2177bfac-f8b9-4727-88ed-53cfe144147d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Timespan\",\"type\":4,\"description\":\"Selects the time range for the drilldown\",\"isRequired\":true,\"value\":{\"durationMs\":5184000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}],\"allowCustom\":true},\"resourceType\":\"microsoft.insights/components\"},{\"id\":\"4c8af66c-af5b-478a-853c-a8d6e3e9ec3f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"host\",\"label\":\"Host\",\"type\":2,\"description\":\"Selects the target host for the drilldown analysis\",\"isRequired\":true,\"query\":\"Sysmon\\r\\n| summarize by Computer\",\"value\":\"pc-test\",\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\r\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\r\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\r\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\r\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\r\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\r\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\r\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\r\\nSysmon\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\r\\n| summarize count() by technique_name, bin(TimeGenerated, 1h)\",\"size\":0,\"title\":\"Activity by technique\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\"},\"name\":\"technique-activity-query \",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_ppath_whitelist = process_create_whitelist | project process_parent_path;\\r\\nlet process_path_whitelist = process_create_whitelist | project process_path;\\r\\nlet command_line_whitelist = process_create_whitelist | project replace(\\\"'\\\", \\\"\\\", replace('\\\"', '', process_command_line));\\r\\nlet hash_whitelist = process_create_whitelist | project hash_sha256;\\r\\nSysmon\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where EventID == 1\\r\\n| where isnotempty(technique_name)\\r\\n| where process_parent_path !in~ (process_ppath_whitelist) and process_path !in~ (process_path_whitelist) and replace('\\\"', '', tostring(process_command_line)) !in~ (command_line_whitelist) and hash_sha256 !in~ (hash_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, process_guid, hash_sha256, process_id, process_parent_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process create (not whitelisted)\",\"noDataMessage\":\"No process create activity matching ATT&CK techniques for host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_parent_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},{\"columnMatch\":\"Time generated\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"user_name\",\"label\":\"User\"},{\"columnId\":\"process_parent_path\",\"label\":\"Process parent path\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File name\"},{\"columnId\":\"process_parent_command_line\",\"label\":\"Process parent command line\"},{\"columnId\":\"process_command_line\",\"label\":\"Process command line\"},{\"columnId\":\"process_parent_guid\",\"label\":\"Process parent GUID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"hash_sha256\",\"label\":\"SHA256\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_parent_id\",\"label\":\"Process parent ID\"}]},\"sortBy\":[{\"itemKey\":\"TimeGenerated\",\"sortOrder\":2}]},\"name\":\"process-create-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = process_access_whitelist | project process_path;\\r\\nlet target_process_path_whitelist = process_access_whitelist | project target_process_path;\\r\\nlet process_granted_access_whitelist = process_access_whitelist | project process_granted_access;\\r\\nSysmon\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where EventID == 10\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist) and process_granted_access !in~ (process_granted_access_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process access (not whitelisted)\",\"noDataMessage\":\"No process access activity matching ATT&CK techniques for host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"target_process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"target_process_path\",\"label\":\"Target process path\"},{\"columnId\":\"process_granted_access\",\"label\":\"Process granted access\"},{\"columnId\":\"target_process_guid\",\"label\":\"Target process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"target_process_id\",\"label\":\"Target process ID\"}]}},\"name\":\"process-access-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file_name_whitelist = file_create_whitelist | project file_name;\\r\\nlet file_path_whitelist = file_create_whitelist | project file_path;\\r\\nlet proc_path_whitelist = file_create_whitelist | project process_path;\\r\\nSysmon\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where EventID == 11\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"File created (not whitelisted)\",\"noDataMessage\":\"No file create activity matching ATT&CK techniques for host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"}]}},\"name\":\"file-created-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path__whitelist = image_load_whitelist | project process_path;\\r\\nlet driver_loaded_whitelist = image_load_whitelist | project driver_loaded;\\r\\nlet driver_signed_whitelist = image_load_whitelist | project driver_is_signed;\\r\\nlet drv_signature_whitelist = image_load_whitelist | project driver_signature;\\r\\nlet signat_status_whitelist = image_load_whitelist | project driver_signature_status;\\r\\nSysmon\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where EventID == 7\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_path__whitelist) and module_loaded !in~ (driver_loaded_whitelist) and module_is_signed !in~ (driver_signed_whitelist) and module_signature !in~ (drv_signature_whitelist) and module_signature_status !in~ (signat_status_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Image loaded (not whitelisted)\",\"noDataMessage\":\"No image loaded activity matching ATT&CK techniques for host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"module_loaded\",\"label\":\"Driver loaded\"},{\"columnId\":\"module_is_signed\",\"label\":\"Driver is signed\"},{\"columnId\":\"module_signature\",\"label\":\"Driver signature\"},{\"columnId\":\"module_signature_status\",\"label\":\"Signature status\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]},\"sortBy\":[]},\"name\":\"image-loaded-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = network_whitelist | project process_path;\\r\\nlet src_ip_whitelist = network_whitelist | project src_ip;\\r\\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\\r\\nlet dst_port_whitelist = network_whitelist | project dst_port;\\r\\nSysmon\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where EventID == 3\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_path_whitelist) and src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist) and dst_port !in~ (dst_port_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, user_name, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network connections (not whitelisted)\",\"noDataMessage\":\"No network connection activity matching ATT&CK techniques for host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"user_name\",\"label\":\"User\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"src_ip\",\"label\":\"Source IP\"},{\"columnId\":\"dst_ip\",\"label\":\"Destination IP\"},{\"columnId\":\"dst_port\",\"label\":\"Destination port\"},{\"columnId\":\"src_host_name\",\"label\":\"Source hostname\"},{\"columnId\":\"dst_host_name\",\"label\":\"Destination hostname\"}]}},\"name\":\"network-connections-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let event_type_whitelist = registry_whitelist | project event_type;\\r\\nlet process_path_whitelist = registry_whitelist | project process_path;\\r\\nlet registry_key_path_whitelist = registry_whitelist | project registry_key_path;\\r\\nSysmon\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where EventID == 12\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_path_whitelist) and EventType !in~ (event_type_whitelist) and registry_key_path !in~ (registry_key_path_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, EventType, Computer, process_path, process_id, process_guid, registry_key_path\",\"size\":0,\"showAnalytics\":true,\"title\":\"Registry access (not whitelisted)\",\"noDataMessage\":\"No registry access activity matching ATT&CK techniques for host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"EventType\",\"label\":\"Event type\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"registry_key_path\",\"label\":\"Registry key path\"}]}},\"name\":\"registry-access-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = pipe_whitelist | project process_path;\\r\\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\\r\\nSysmon\\r\\n| where EventID == 17\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, pipe_name, process_path, process_guid, process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Pipes (not whitelisted)\",\"noDataMessage\":\"No pipe create and connect activity matching ATT&CK techniques for host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"pipe_name\",\"label\":\"Pipe name\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"}]}},\"name\":\"pipes-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let host_whitelist = dns_whitelist | project host;\\r\\nlet process_whitelist = dns_whitelist | project process_path;\\r\\nlet query_whitelist = dns_whitelist | project query_name;\\r\\nSysmon\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| where EventID == 22\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_whitelist) and dns_query_name !in~ (query_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, dns_query_name, dns_query_status, dns_query_results, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS queries (not whitelisted)\",\"noDataMessage\":\"No DNS activity matching ATT&CK techniques for host\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"dns_query_name\",\"label\":\"DNS query name\"},{\"columnId\":\"dns_query_status\",\"label\":\"DNS query status\"},{\"columnId\":\"dns_query_results\",\"label\":\"DNS query results\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"name\":\"dns-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where Source contains \\\"sysmon\\\"\\r\\n| where Computer contains \\\"{host}\\\"\\r\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\r\\n| project TimeGenerated, EventID, RenderedDescription, Computer, UserName, Data=parse_xml(EventData).DataItem.EventData.Data\",\"size\":0,\"showAnalytics\":true,\"title\":\"Raw sysmon logs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"EventID\",\"label\":\"Sysmon event ID\"},{\"columnId\":\"RenderedDescription\",\"label\":\"Sysmon event\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"}]}},\"name\":\"raw-logs-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}}]},\"conditionalVisibility\":{\"parameterName\":\"navigation_value\",\"comparison\":\"isEqualTo\",\"value\":\"4\"},\"name\":\"computer-drilldown-group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab provides insights into all indicators related to the specified process GUID within the specified timespan. Consult [this documentation](https://github.com/BlueTeamLabs/sentinel-attack/wiki/Process-GUID-drilldown-tab) for additional information.\\n\\n**Note:** All data in this tab excludes whitelisted events.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"59e47110-94b7-42ce-9c93-4461d4ebf6f7\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time span\",\"type\":4,\"description\":\"Selects the time range for the drilldown\",\"isRequired\":true,\"value\":{\"durationMs\":2592000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"resourceType\":\"microsoft.insights/components\"},{\"id\":\"64a2ba73-0cf3-4865-97fb-1ecd00c1fd5f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"process_guid_selection\",\"label\":\"Process guid\",\"type\":2,\"isRequired\":true,\"query\":\"Sysmon\\r\\n| where isnotempty(process_guid)\\r\\n| summarize count() by tostring(process_guid)\\r\\n| project process_guid\",\"value\":\"{cd8ced07-a2c0-5ed2-3a03-000000000300}\",\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"08e73a7b-6251-4907-a370-4cd3c601b8bc\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"process\",\"label\":\"Process parent path\",\"type\":2,\"query\":\"Sysmon\\r\\n| where EventID == 1\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| project strcat(process_parent_id, \\\"-\\\", process_parent_path)\",\"value\":\"7564-C:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\MonitoringHost.exe\",\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\r\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\r\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\r\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\r\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\r\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\r\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\r\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\r\\n| project TimeGenerated, EventID, RenderedDescription, process_path, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overview of Sysmon process GUIDs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"EventID\",\"label\":\"Event ID\"}]}},\"customWidth\":\"50\",\"name\":\"overview-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_create_whitelist = process_create_whitelist | project process_path;\\r\\nlet process_path_access_whitelist = process_access_whitelist | project process_path;\\r\\nlet process_path_dns_whitelist = dns_whitelist | project process_path;\\r\\nlet process_path_file_create_whitelist = file_create_whitelist | project process_path;\\r\\nlet process_path_image_load_whitelist = image_load_whitelist | project process_path;\\r\\nlet process_path_network_whitelist = network_whitelist | project process_path;\\r\\nlet process_path_pipe_whitelist = pipe_whitelist | project process_path;\\r\\nlet process_path_registry_whitelist = registry_whitelist | project process_path;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (process_path_create_whitelist) and process_path !in~ (process_path_access_whitelist) and process_path !in~ (process_path_dns_whitelist) and process_path !in~ (process_path_file_create_whitelist) and process_path !in~ (process_path_image_load_whitelist) and process_path !in~ (process_path_network_whitelist) and process_path !in~ (process_path_pipe_whitelist) and process_path !in~ (process_path_registry_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, EventID, process_path, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\" Overview of Sysmon process GUIDs by ATT&CK techniques triggered\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"EventID\",\"label\":\"Event ID\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"customWidth\":\"50\",\"name\":\"ATT&CK-process-guid-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Sysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| project TimeGenerated, EventID, RenderedDescription, process_guid, process_path, process_parent_path\",\"size\":0,\"showAnalytics\":true,\"title\":\"Drilldown for selected GUID\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"showExpandCollapseGrid\":true,\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"EventID\",\"label\":\"Event ID\"},{\"columnId\":\"RenderedDescription\",\"label\":\"Event description\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_parent_path\",\"label\":\"Process parent path\"}]},\"graphSettings\":{\"type\":0,\"topContent\":{\"formatOptions\":{\"showIcon\":true}},\"nodeIdField\":\"process_guid\",\"sourceIdField\":\"process_guid\",\"targetIdField\":\"process_path\",\"nodeSize\":null,\"staticNodeSize\":100,\"colorSettings\":null,\"hivesMargin\":5}},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Sysmon\\r\\n| where isnotempty(process_parent_path)\\r\\n| where process_parent_path == tostring(split(@\\\"{process}\\\", \\\"-\\\")[1])\\r\\n| where isnotempty(process_path)\\r\\n| summarize c=count() by tostring(process_path), tostring(process_id)\\r\\n| sort by c desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overview of spawned child processes by selected process parent\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"c\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\",\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"c\",\"label\":\"Count\"}]},\"sortBy\":[]},\"customWidth\":\"50\",\"name\":\"query - 3\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let host_whitelist = process_create_whitelist | project host;\\r\\nlet user_whitelist = process_create_whitelist | project user;\\r\\nlet process_ppath_whitelist = process_create_whitelist | project process_parent_path;\\r\\nlet process_path_whitelist = process_create_whitelist | project process_path;\\r\\nlet command_line_whitelist = process_create_whitelist | project replace(\\\"'\\\", \\\"\\\", replace('\\\"', '', process_command_line));\\r\\nlet hash_whitelist = process_create_whitelist | project hash_sha256;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| where EventID == 1\\r\\n| where process_parent_path !in~ (process_ppath_whitelist) and process_path !in~ (process_path_whitelist) and replace('\\\"', '', tostring(process_command_line)) !in~ (command_line_whitelist) and hash_sha256 !in~ (hash_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_parent_path, process_path, file_name, process_parent_command_line, process_command_line, process_parent_guid, hash_sha256, process_id, process_parent_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process create\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_parent_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User name\"},{\"columnId\":\"process_parent_path\",\"label\":\"Process parent path\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File name\"},{\"columnId\":\"process_parent_command_line\",\"label\":\"Process parent command line\"},{\"columnId\":\"process_command_line\",\"label\":\"Process command line\"},{\"columnId\":\"process_parent_guid\",\"label\":\"Process parent GUID\"},{\"columnId\":\"hash_sha256\",\"label\":\"Hash SHA256\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_parent_id\",\"label\":\"Process parent ID\"}]}},\"name\":\"process-create-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = process_access_whitelist | project process_path;\\r\\nlet target_process_path_whitelist = process_access_whitelist | project target_process_path;\\r\\nlet process_granted_access_whitelist = process_access_whitelist | project process_granted_access;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| where EventID == 10\\r\\n| where process_path !in~ (process_path_whitelist) and target_process_path !in~ (target_process_path_whitelist) and process_granted_access !in~ (process_granted_access_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, target_process_path, process_granted_access, target_process_guid, process_id, target_process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Process access\",\"noDataMessage\":\"No process access activity found for this GUID\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"target_process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"target_process_path\",\"label\":\"Target process path\"},{\"columnId\":\"process_granted_access\",\"label\":\"Process granted access\"},{\"columnId\":\"target_process_guid\",\"label\":\"Target process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"target_process_id\",\"label\":\"Target process ID\"}]}},\"name\":\"process-access-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file_name_whitelist = file_create_whitelist | project file_name;\\r\\nlet file_path_whitelist = file_create_whitelist | project file_path;\\r\\nlet proc_path_whitelist = file_create_whitelist | project process_path;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| where EventID == 11\\r\\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, file_name, process_guid, process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"File create\",\"noDataMessage\":\"No file create activity for selected GUID\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"}]}},\"name\":\"file-create-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path__whitelist = image_load_whitelist | project process_path;\\r\\nlet driver_loaded_whitelist = image_load_whitelist | project driver_loaded;\\r\\nlet driver_signed_whitelist = image_load_whitelist | project driver_is_signed;\\r\\nlet drv_signature_whitelist = image_load_whitelist | project driver_signature;\\r\\nlet signat_status_whitelist = image_load_whitelist | project driver_signature_status;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| where EventID == 7\\r\\n| where process_path !in~ (process_path__whitelist) and module_loaded !in~ (driver_loaded_whitelist) and module_is_signed !in~ (driver_signed_whitelist) and module_signature !in~ (drv_signature_whitelist) and module_signature_status !in~ (signat_status_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, process_path, module_loaded, module_is_signed, module_signature, module_signature_status, process_id, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Image loaded\",\"noDataMessage\":\"No image loaded activity for selected GUID\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"module_loaded\",\"label\":\"Module loaded\"},{\"columnId\":\"module_is_signed\",\"label\":\"Module is loaded\"},{\"columnId\":\"module_signature\",\"label\":\"Module signature\"},{\"columnId\":\"module_signature_status\",\"label\":\"Module signature status\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"name\":\"image-loaded-query\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = network_whitelist | project process_path;\\r\\nlet src_ip_whitelist = network_whitelist | project src_ip;\\r\\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\\r\\nlet dst_port_whitelist = network_whitelist | project dst_port;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| where EventID == 3\\r\\n| where process_path !in~ (process_path_whitelist) and src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist) and dst_port !in~ (dst_port_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name\",\"size\":0,\"showAnalytics\":true,\"title\":\"Network connection\",\"noDataMessage\":\"No network connection activity for selected GUID\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"src_ip\",\"label\":\"Source IP\"},{\"columnId\":\"dst_ip\",\"label\":\"Destination IP\"},{\"columnId\":\"dst_port\",\"label\":\"Destination port\"},{\"columnId\":\"src_host_name\",\"label\":\"Source hostname\"},{\"columnId\":\"dst_host_name\",\"label\":\"Destination hostname\"}]}},\"name\":\"network-connection-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let event_type_whitelist = registry_whitelist | project event_type;\\r\\nlet process_path_whitelist = registry_whitelist | project process_path;\\r\\nlet registry_key_path_whitelist = registry_whitelist | project registry_key_path;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| where EventID == 12 or EventID == 13\\r\\n| where process_path !in~ (process_path_whitelist) and EventType !in~ (event_type_whitelist) and registry_key_path !in~ (registry_key_path_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, EventType, Computer, process_path, process_id, process_guid, registry_key_path\",\"size\":0,\"showAnalytics\":true,\"title\":\"Registry access\",\"noDataMessage\":\"No registry access activity found for selected GUID\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"EventType\",\"label\":\"Event type\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"registry_key_path\",\"label\":\"Registry key path\"}]}},\"name\":\"registry-access-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let host_whitelist = dns_whitelist\\r\\n| project host;\\r\\nlet process_whitelist = dns_whitelist\\r\\n| project process_path;\\r\\nlet query_whitelist = dns_whitelist\\r\\n| project query_name;\\r\\nSysmon\\r\\n| where isnotempty(process_guid)\\r\\n| where process_guid == \\\"{process_guid_selection}\\\"\\r\\n| where EventID == 22\\r\\n| where process_path !in~ (process_whitelist) and dns_query_name !in~ (query_whitelist)\\r\\n| project TimeGenerated, dns_query_name, dns_query_status, dns_query_results, process_path, Computer\",\"size\":0,\"showAnalytics\":true,\"title\":\"DNS requests\",\"noDataMessage\":\"No DNS request activity for selected GUID\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"dns_query_name\",\"label\":\"DNS query name\"},{\"columnId\":\"dns_query_status\",\"label\":\"DNS query status\"},{\"columnId\":\"dns_query_results\",\"label\":\"DNS query results\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"Computer\",\"label\":\"Host\"}]}},\"name\":\"DNS-request-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}}]},\"conditionalVisibility\":{\"parameterName\":\"navigation_value\",\"comparison\":\"isEqualTo\",\"value\":\"5\"},\"name\":\"process-guid-drilldown-group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab provides insights into Sysmon network connection (Event ID 3) indicators within the specified timespan. Consult [this documentation](https://github.com/BlueTeamLabs/sentinel-attack/wiki/Network-connection-drilldown-tab) for additional information.\\n\\n**Note:** With the exception of the \\\"Raw Sysmon network connection logs\\\" table all data in this tab excludes whitelisted network connection activity.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"4a39c4e2-b095-49db-8dfa-333bf26bce9a\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time span\",\"type\":4,\"description\":\"Selects the timerange for the drilldown\",\"isRequired\":true,\"value\":{\"durationMs\":1209600000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"resourceType\":\"microsoft.insights/components\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let src_ip_whitelist = network_whitelist | project src_ip;\\r\\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\\r\\nSysmon\\r\\n| where isnotempty(src_ip) and isnotempty(dst_ip)\\r\\n| where src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist)\\r\\n| summarize c=count() by tostring(src_ip), tostring(dst_ip)\\r\\n| sort by c desc\",\"size\":0,\"showAnalytics\":true,\"noDataMessage\":\"No network connection events for selected time span\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"graph\",\"graphSettings\":{\"type\":2,\"topContent\":{\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"centerContent\":{\"columnMatch\":\"src_ip\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true},\"tooltipFormat\":{\"tooltip\":\"Number of inbound connections\"}},\"bottomContent\":{\"columnMatch\":\"c\",\"formatOptions\":{\"showIcon\":true}},\"hivesContent\":{\"columnMatch\":\"dst_ip\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}},\"nodeIdField\":\"dst_ip\",\"targetIdField\":\"src_ip\",\"edgeSize\":\"c\",\"edgeLabel\":\"c\",\"nodeSize\":null,\"staticNodeSize\":80,\"colorSettings\":{\"nodeColorField\":\"c\",\"type\":4,\"heatmapPalette\":\"coldHot\",\"heatmapMin\":null,\"heatmapMax\":null},\"groupByField\":\"dst_ip\",\"hivesMargin\":5}},\"customWidth\":\"50\",\"name\":\"connection-query-1\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let src_ip_whitelist = network_whitelist | project src_ip;\\r\\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\\r\\nSysmon\\r\\n| where isnotempty(src_ip) and isnotempty(dst_ip)\\r\\n| where src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist)\\r\\n| summarize c=count() by tostring(src_ip), tostring(dst_ip)\\r\\n| sort by c desc\\r\\n| project dst_ip, src_ip, c\",\"size\":0,\"showAnalytics\":true,\"noDataMessage\":\"No network connection events for selected time span\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"c\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\",\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"dst_ip\",\"label\":\"Destination IP\"},{\"columnId\":\"src_ip\",\"label\":\"Source IP\"},{\"columnId\":\"c\",\"label\":\"Count of connections\"}]}},\"customWidth\":\"50\",\"name\":\"connections-query-2\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let src_ip_whitelist = network_whitelist | project src_ip;\\r\\nSysmon\\r\\n| where isnotempty(src_ip) and isnotempty(dst_ip)\\r\\n| where src_ip !in~ (src_ip_whitelist)\\r\\n| summarize count() by tostring(dst_ip), bin(TimeGenerated, 1h)\",\"size\":0,\"showAnalytics\":true,\"title\":\"Activity by destination IP (excludes whitelisted source IPs)\",\"noDataMessage\":\"No network connection events for selected time span\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\"},\"name\":\"activity-by-destination-ip-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let src_ip_whitelist = network_whitelist | project src_ip;\\r\\nlet dst_ip_whitelist = network_whitelist | project dst_ip;\\r\\nSysmon\\r\\n| where isnotempty(src_ip) and isnotempty(dst_ip)\\r\\n| where src_ip !in~ (src_ip_whitelist) and dst_ip !in~ (dst_ip_whitelist)\\r\\n| project TimeGenerated, RenderedDescription, Computer, UserName, process_path, process_id, process_guid, src_ip, dst_ip, dst_port, src_host_name, dst_host_name\",\"size\":0,\"showAnalytics\":true,\"noDataMessage\":\"No network connection events for selected time span\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"RenderedDescription\",\"label\":\"Event description\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"src_ip\",\"label\":\"Source IP\"},{\"columnId\":\"dst_ip\",\"label\":\"Destination IP\"},{\"columnId\":\"dst_port\",\"label\":\"Destination port\"},{\"columnId\":\"src_host_name\",\"label\":\"Source hostname\"},{\"columnId\":\"dst_host_name\",\"label\":\"Destination hostname\"}]},\"chartSettings\":{\"xAxis\":\"TimeGenerated\"}},\"name\":\"ip-activity-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where Source contains \\\"sysmon\\\"\\r\\n| where TimeGenerated {time_range:query}\\r\\n| where EventID == 3\\r\\n| project TimeGenerated, Computer, UserName, Data=parse_xml(EventData).DataItem.EventData.Data\",\"size\":0,\"showAnalytics\":true,\"title\":\"Raw Sysmon network connection logs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true}},\"name\":\"raw-sysmon-network-logs-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}}]},\"conditionalVisibility\":{\"parameterName\":\"navigation_value\",\"comparison\":\"isEqualTo\",\"value\":\"6\"},\"name\":\"network-connection-drilldown-group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab provides an overview of all Sysmon file create (Event ID 11) indicators within the specified timespan. Consult [this documentation](https://github.com/BlueTeamLabs/sentinel-attack/wiki/File-create-drilldown-tab) for additional information.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"ae226c3f-fb30-47bd-b7f3-d0ff236d6d6e\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time span\",\"type\":4,\"description\":\"Selects time range for drilldown\",\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"resourceType\":\"microsoft.insights/components\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file_name_whitelist = file_create_whitelist | project file_name;\\nlet file_path_whitelist = file_create_whitelist | project file_path;\\nlet proc_path_whitelist = file_create_whitelist | project process_path;\\nSysmon\\n| where EventID == 11\\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\\n| project TimeGenerated, Computer, UserName, file_name, process_path, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overview of file create events (not whitelisted)\",\"noDataMessage\":\"No file create events for selected time frame\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"file_name\",\"label\":\"File path\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"customWidth\":\"50\",\"name\":\"recorded-file-create-events-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file_name_whitelist = file_create_whitelist | project file_name;\\r\\nlet proc_path_whitelist = file_create_whitelist | project process_path;\\r\\nSysmon\\r\\n| where EventID == 11\\r\\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\\r\\n| summarize c=count() by tostring(process_path), tostring(file_name)\\r\\n| project process_path, file_name, c\\r\\n| sort by c desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Overview of file creates by process (not whitelisted)\",\"noDataMessage\":\"No file create events during selected time frame\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"c\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\",\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File path\"},{\"columnId\":\"c\",\"label\":\"Count\"}]}},\"customWidth\":\"50\",\"name\":\"file-creates-by-process-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"55bb9638-58b9-4432-9c33-58cc4243b9c1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"process_path_selection\",\"label\":\"Process path\",\"type\":2,\"description\":\"The process path to inspect for file create activity (excluding whitelisted process paths)\",\"query\":\"let file_name_whitelist = file_create_whitelist | project file_name;\\r\\nlet proc_path_whitelist = file_create_whitelist | project process_path;\\r\\nSysmon\\r\\n| where EventID==11\\r\\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\\r\\n| summarize by tostring(process_path)\",\"value\":null,\"typeSettings\":{\"additionalResourceOptions\":[]},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let file_name_whitelist = file_create_whitelist | project file_name;\\r\\nlet proc_path_whitelist = file_create_whitelist | project process_path;\\r\\nSysmon\\r\\n| where EventID == 11\\r\\n| where isnotempty(technique_name)\\r\\n| where process_path !in~ (proc_path_whitelist) and file_name !in~ (file_name_whitelist)\\r\\n| project TimeGenerated, technique_id, technique_name, phase_name, Computer, UserName, process_path, file_name, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"File create activity by ATT&CK technique (not whitelisted)\",\"noDataMessage\":\"No file create activity matching ATT&CK techniques during selected timeframe\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"technique_id\",\"label\":\"ID\"},{\"columnId\":\"technique_name\",\"label\":\"Technique\"},{\"columnId\":\"phase_name\",\"label\":\"Category\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"file_name\",\"label\":\"File path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"customWidth\":\"70\",\"name\":\"file-create-activity-by-technique-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Sysmon\\r\\n| where EventID == 11\\r\\n| where tostring(process_path) == @\\\"{process_path_selection}\\\"\\r\\n| summarize c=count() by tostring(file_name), bin(TimeGenerated, 1h)\\r\\n| sort by c desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"File create activity by process\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"filter\":true,\"labelSettings\":[{\"columnId\":\"file_name\",\"label\":\"File path\"},{\"columnId\":\"TimeGenerated\",\"label\":\"Datetime\"},{\"columnId\":\"c\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"file-create-activity-by-process-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where Source contains \\\"sysmon\\\"\\r\\n| where EventID == 11\\r\\n| extend RenderedDescription = tostring(split(RenderedDescription, \\\":\\\")[0])\\r\\n| project TimeGenerated, EventID, RenderedDescription, Computer, UserName, Data=parse_xml(EventData).DataItem.EventData.Data\",\"size\":0,\"showAnalytics\":true,\"title\":\"Raw Sysmon File Create logs\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"EventID\",\"label\":\"Event ID\"},{\"columnId\":\"RenderedDescription\",\"label\":\"Event description\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"Data\",\"label\":\"Raw Sysmon data\"}]}},\"name\":\"raw-file-create-logs-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}}]},\"conditionalVisibility\":{\"parameterName\":\"navigation_value\",\"comparison\":\"isEqualTo\",\"value\":\"7\"},\"name\":\"file-create-drilldown-group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"This tab provides insights into Sysmon pipe create and connect (Event ID 17 and 18) indicators within the specified timespan. Consult [this documentation](https://github.com/BlueTeamLabs/sentinel-attack/wiki/Pipe-name-drilldown-tab) for additional informatio.\\n\\n**Note:** With the exception of the \\\"Raw events\\\" table all data in this tab excludes whitelisted pipe created and connected events.\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cbbf7114-b644-40f9-b010-5c7d646434f5\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_range\",\"label\":\"Time generated\",\"type\":4,\"description\":\"Selects the time range for the drilldown\",\"value\":{\"durationMs\":86400000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"resourceType\":\"microsoft.insights/components\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = pipe_whitelist | project process_path;\\r\\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\\r\\nSysmon\\r\\n| where EventID == 17\\r\\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\\r\\n| project TimeGenerated, Computer, pipe_name, process_path, process_guid\",\"size\":0,\"showAnalytics\":true,\"title\":\"Pipe Create events\",\"noDataMessage\":\"No pipe create events for selected time generated\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"pipe_name\",\"label\":\"Pipe name\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"}]}},\"customWidth\":\"50\",\"name\":\"pipe-create-events-query\",\"styleSettings\":{\"progressStyle\":\"loader\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = pipe_whitelist | project process_path;\\r\\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\\r\\nSysmon\\r\\n| where EventID == 17 or EventID == 18\\r\\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\\r\\n| summarize c=count() by tostring(process_path), tostring(pipe_name)\\r\\n| project process_path, pipe_name, c\\r\\n| sort by c desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Pipe Create and Connect events\",\"noDataMessage\":\"No pipe create and connect events for selected time generated\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"c\",\"formatter\":8,\"formatOptions\":{\"palette\":\"red\",\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"pipe_name\",\"label\":\"Pipe name\"},{\"columnId\":\"c\",\"label\":\"Event count\"}]}},\"customWidth\":\"50\",\"name\":\"pipe-create-and-connect-events-query\",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = pipe_whitelist | project process_path;\\r\\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\\r\\nSysmon\\r\\n| where EventID == 18\\r\\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\\r\\n| summarize count() by tostring(pipe_name), bin(TimeGenerated, 1h)\",\"size\":0,\"showAnalytics\":true,\"title\":\"Activity by Pipe Connects\",\"noDataMessage\":\"Unable to generate visualisation - insufficient data points\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"scatterchart\"},\"name\":\"activity-by-pipe-connects-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let process_path_whitelist = pipe_whitelist | project process_path;\\r\\nlet pipe_name_whitelist = pipe_whitelist | project pipe_name;\\r\\nSysmon\\r\\n| where EventID == 18\\r\\n| where process_path !in~ (process_path_whitelist) and pipe_name !in~ (pipe_name_whitelist)\\r\\n| project TimeGenerated, Computer, pipe_name, process_path, process_guid, process_id\",\"size\":0,\"showAnalytics\":true,\"title\":\"Pipe Connects\",\"noDataMessage\":\"No pipe connect events for selected time generated\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"process_guid\",\"formatter\":1,\"formatOptions\":{\"showIcon\":true}}],\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"pipe_name\",\"label\":\"Pipe name\"},{\"columnId\":\"process_path\",\"label\":\"Process path\"},{\"columnId\":\"process_guid\",\"label\":\"Process GUID\"},{\"columnId\":\"process_id\",\"label\":\"Process ID\"}]}},\"name\":\"pipe-connects-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"Event\\r\\n| where Source contains \\\"sysmon\\\"\\r\\n| where EventID == 17 or EventID == 18\\r\\n| project TimeGenerated, EventID, Computer, UserName, Data=parse_xml(EventData).DataItem.EventData.Data\",\"size\":0,\"showAnalytics\":true,\"title\":\"Raw events\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_range\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"filter\":true,\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time generated\"},{\"columnId\":\"EventID\",\"label\":\"Event ID\"},{\"columnId\":\"Computer\",\"label\":\"Host\"},{\"columnId\":\"UserName\",\"label\":\"User\"},{\"columnId\":\"Data\",\"label\":\"Raw Sysmon data\"}]}},\"name\":\"raw-events-query\",\"styleSettings\":{\"progressStyle\":\"loader\"}}]},\"conditionalVisibility\":{\"parameterName\":\"navigation_value\",\"comparison\":\"isEqualTo\",\"value\":\"8\"},\"name\":\"pipe-name-drilldown-group\"},{\"type\":1,\"content\":{\"json\":\"---\\r\\nSysmon threat hunting v.1.4.0\"},\"name\":\"text - 5\"}],\"isLocked\":false,\"fallbackResourceIds\":[\"/subscriptions/dcbe8d65-7627-4f61-97aa-70a6e2dffe3e/resourcegroups/sentineltest-rg/providers/microsoft.operationalinsights/workspaces/sentineltest-la\"],\"fromTemplateId\":\"sentinel-UserWorkbook\"}",
"version": "1.4",
"sourceId": "[parameters('workbookSourceId')]",
"category": "[parameters('workbookType')]"
}
}
]
}