Merge pull request Azure#10574 from Azure/v-shukore/NetworkSesionEsse…

…ntials Added mising DC reference in Analytic Rule for Network session Essential Solution
malowe101 · Jun 5, 2024 · 50ceca4 · 50ceca4
2 parents d3377f2 + 300dc95
commit 50ceca4
Show file tree

Hide file tree

Showing 18 changed files with 543 additions and 326 deletions.
diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@@ -239,5 +239,6 @@
   "InfobloxSOCInsightsDataConnector_Legacy",
   "InfobloxSOCInsightsDataConnector_AMA",
   "NetskopeDataConnector",
-  "NetskopeWebTransactionsDataConnector"
+  "NetskopeWebTransactionsDataConnector",
+  "CiscoAsaAma"
 ]
diff --git a/Solutions/Network Session Essentials/Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml b/Solutions/Network Session Essentials/Analytic Rules/AnomalyFoundInNetworkSessionTraffic.yaml
@@ -17,6 +17,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -41,6 +44,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL
@@ -184,5 +190,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: Anomaly was observed with {{anomalyFieldValue}} Traffic
   alertDescriptionFormat: 'Based on past data, anomaly was observed in {{anomalyFieldValue}} Traffic with a score of {{score}}.'
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/...ns/Network Session Essentials/Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml b/...ns/Network Session Essentials/Analytic Rules/DetectPortMisuseByAnomalyBasedDetection.yaml
@@ -17,6 +17,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -41,6 +44,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL
@@ -183,5 +189,5 @@ alertDetailsOverride:
   alertDescriptionFormat: '{{Description}}'
   alertTacticsColumnName: Tactic
   alertSeverityColumnName: Severity
-version: 1.0.1
+version: 1.0.2
 kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByStaticThreshold.yaml b/Solutions/Network Session Essentials/Analytic Rules/DetectPortMisuseByStaticThreshold.yaml
@@ -17,6 +17,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -41,6 +44,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL
@@ -143,5 +149,5 @@ alertDetailsOverride:
   alertDescriptionFormat: '{{Description}}'
   alertTacticsColumnName: Tactic
   alertSeverityColumnName: Severity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml b/Solutions/Network Session Essentials/Analytic Rules/ExcessiveHTTPFailuresFromSource.yaml
@@ -20,6 +20,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -44,6 +47,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL
@@ -86,5 +92,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: Excessive number of failed connections from {{SrcIpAddr}}
   alertDescriptionFormat: 'The client at address {{SrcIpAddr}} generated more than {{threshold}} failures over a 5 minutes time window, which may indicate malicious activity.'
-version: 1.2.6
+version: 1.2.7
 kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml b/Solutions/Network Session Essentials/Analytic Rules/NetworkPortSweepFromExternalNetwork.yaml
@@ -17,6 +17,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -41,6 +44,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL
@@ -80,5 +86,5 @@ customDetails:
 alertDetailsOverride:
   alertDisplayNameFormat: Network Port Sweep detected on {{DstPortNumber}}
   alertDescriptionFormat: 'Network Port Sweep was detection by multiple IPs'
-version: 1.0.2
+version: 1.0.3
 kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Analytic Rules/PortScan.yaml b/Solutions/Network Session Essentials/Analytic Rules/PortScan.yaml
@@ -19,6 +19,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -43,6 +46,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL
@@ -90,5 +96,5 @@ entityMappings:
 customDetails:
   AttemptedPortsCount: AttemptedPortsCount
 
-version: 1.0.5
+version: 1.0.6
 kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml b/Solutions/Network Session Essentials/Analytic Rules/PossibleBeaconingActivity.yaml
@@ -16,6 +16,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -40,6 +43,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL
@@ -155,5 +161,5 @@ customDetails:
   FrequencyTime: MostFrequentTimeDeltaCount
   TotalDstBytes: TotalDstBytes
 
-version: 1.1.5
+version: 1.1.6
 kind: Scheduled
diff --git a/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json b/Solutions/Network Session Essentials/Data/Solution_NetworkSessionEssentials.json
@@ -35,7 +35,7 @@
   ],
   "WatchlistDescription": "Monitor Network Session Essentials Solution's' configurable conditions here. Choose between Detection or Hunting for Type and set Threshold type to Static or Anomaly to tune monitoring as needed",
   "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions\\Network Session Essentials",
-  "Version": "3.0.3",
+  "Version": "3.0.4",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": false

diff --git a/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml b/Solutions/Network Session Essentials/Hunting Queries/DetectPortMisuseByAnomalyHunting.yaml
@@ -7,7 +7,7 @@ description-detailed: |
 
 tags:
   - Schema: ASimNetworkSessions
-    SchemaVersion: 0.2.4
+    SchemaVersion: 0.2.5
 requiredDataConnectors:
   - connectorId: AWSS3
     dataTypes:
@@ -18,6 +18,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -42,6 +45,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL

diff --git a/.../Network Session Essentials/Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml b/.../Network Session Essentials/Hunting Queries/DetectPortMisuseByStaticThresholdHunting.yaml
@@ -5,7 +5,7 @@ description: |
 
 tags:
   - Schema: ASimNetworkSessions
-    SchemaVersion: 0.2.4
+    SchemaVersion: 0.2.5
 requiredDataConnectors:
   - connectorId: AWSS3
     dataTypes:
@@ -16,6 +16,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -40,6 +43,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL

diff --git a/.../Network Session Essentials/Hunting Queries/DetectsSeveralUsersWithTheSameMACAddress.yaml b/.../Network Session Essentials/Hunting Queries/DetectsSeveralUsersWithTheSameMACAddress.yaml
@@ -5,7 +5,7 @@ description: |
 
 tags:
   - Schema: ASimNetworkSessions
-    SchemaVersion: 0.2.4
+    SchemaVersion: 0.2.5
 requiredDataConnectors:
   - connectorId: AWSS3
     dataTypes:
@@ -16,6 +16,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -40,6 +43,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL

diff --git a/...ssion Essentials/Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml b/...ssion Essentials/Hunting Queries/MismatchBetweenDestinationAppNameAndDestinationPort.yaml
@@ -5,7 +5,7 @@ description: |
 
 tags:
   - Schema: ASimNetworkSessions
-    SchemaVersion: 0.2.4
+    SchemaVersion: 0.2.5
 requiredDataConnectors:
   - connectorId: AWSS3
     dataTypes:
@@ -16,6 +16,9 @@ requiredDataConnectors:
   - connectorId: SecurityEvents
     dataTypes:
       - SecurityEvent
+  - connectorId: WindowsSecurityEvents
+    dataTypes:
+      - SecurityEvent
   - connectorId: WindowsForwardedEvents
     dataTypes:
       - WindowsEvent
@@ -40,6 +43,9 @@ requiredDataConnectors:
   - connectorId: CiscoASA
     dataTypes:
       - CommonSecurityLog
+  - connectorId: CiscoAsaAma
+    dataTypes:
+      - CommonSecurityLog
   - connectorId: Corelight
     dataTypes:
       - Corelight_CL

diff --git a/Solutions/Network Session Essentials/Package/3.0.4.zip b/Solutions/Network Session Essentials/Package/3.0.4.zip
diff --git a/Solutions/Network Session Essentials/Package/createUiDefinition.json b/Solutions/Network Session Essentials/Package/createUiDefinition.json
@@ -212,7 +212,7 @@
                 "name": "analytic7-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.<br><br> \n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
+                  "text": "This rule identifies a single source that generates an excessive amount of failed connections. Modify the threshold to change the sensitivity of the rule: the higher the threshold, the less sensitive is the rule and less incidents will be generated.\n This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
                 }
               }
             ]
@@ -226,7 +226,7 @@
                 "name": "analytic8-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.<br><br>\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
+                  "text": "This rule identifies a possible port scan, in which a single source tries to access a large number of different ports is a short time frame. This may indicate that a [port scanner](https://en.wikipedia.org/wiki/Port_scanner) is trying to identify open ports in order to penetrate a system.\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema"
                 }
               }
             ]
@@ -240,7 +240,7 @@
                 "name": "analytic9-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. Such potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\\<br><br>\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'"
+                  "text": "This rule identifies beaconing patterns from Network traffic logs based on recurrent frequency patterns. \nSuch potential outbound beaconing patterns to untrusted public networks should be investigated for any malware callbacks or data exfiltration attempts as discussed in this [Blog](https://medium.com/@HuntOperator/detect-beaconing-with-flare-elastic-stack-and-intrusion-detection-systems-110dc74e0c56).\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema'"
                 }
               }
             ]
@@ -292,7 +292,7 @@
                 "name": "huntingquery2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This hunting query detect anomalous pattern in port usage with ASIM normalization. To tune the query to your environment configure it using the 'NetworkSession_Monitor_Configuration' watchlist. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
+                  "text": "This hunting query detect anomalous pattern in port usage with ASIM normalization. To tune the query to your environment configure it using the 'NetworkSession_Monitor_Configuration' watchlist. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
                 }
               }
             ]
@@ -306,7 +306,7 @@
                 "name": "huntingquery3-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "There is an normal amount of traffic that goes on a particular port in any organization. This hunting query identifies port usage higher than threshold defined in 'NetworkSession_Monitor_Configuration' watchlist to determine high port usage. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
+                  "text": "There is an normal amount of traffic that goes on a particular port in any organization. This hunting query identifies port usage higher than threshold defined in 'NetworkSession_Monitor_Configuration' watchlist to determine high port usage. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
                 }
               }
             ]
@@ -320,7 +320,7 @@
                 "name": "huntingquery4-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Ideally one user should be associated with one MAC ID, this hunting query will identify if same MAC ID is associated with more than one user which can be a case of MAC spoofing attack. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
+                  "text": "Ideally one user should be associated with one MAC ID, this hunting query will identify if same MAC ID is associated with more than one user which can be a case of MAC spoofing attack. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
                 }
               }
             ]
@@ -334,7 +334,7 @@
                 "name": "huntingquery5-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "Every standard app has a port associated with it. This query will identify if destination port associated with destination app is not standard which can be a case of network spoofing attack. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
+                  "text": "Every standard app has a port associated with it. This query will identify if destination port associated with destination app is not standard which can be a case of network spoofing attack. This hunting query depends on AWSS3 MicrosoftThreatProtection SecurityEvents WindowsSecurityEvents WindowsForwardedEvents Zscaler MicrosoftSysmonForLinux PaloAltoNetworks AzureMonitor(VMInsights) AzureFirewall AzureNSG CiscoASA CiscoAsaAma Corelight AIVectraStream CheckPoint Fortinet CiscoMeraki data connector (AWSVPCFlow DeviceNetworkEvents SecurityEvent SecurityEvent WindowsEvent CommonSecurityLog Syslog CommonSecurityLog VMConnection AzureDiagnostics AzureDiagnostics CommonSecurityLog CommonSecurityLog Corelight_CL VectraStream CommonSecurityLog CommonSecurityLog Syslog CiscoMerakiNativePoller Parser or Table)"
                 }
               }
             ]