Blog Support Queries by aprakash13 · Pull Request #3471 · Azure/Azure-Sentinel

aprakash13 · 2021-11-18T03:36:29Z

Fixes #

Proposed Changes

…-sentinel into Queries_Blog_Support

updating file extension

…-sentinel into Queries_Blog_Support

oshezaf · 2021-11-21T08:26:51Z

@aprakash13 , @petebryan : a few rather important comments in this PR:

ActingProcessSHA256

The need to add ActingProcessSHA256 to the imFileEvent custom validation raises an issue we have to deal with on the validation side. We do promote normalizing as many fields even if we did not add them to the schema s they are not very common in sources, but don't do good in supporting validation for them.
That said, and expectedly for a non-schema field, using ActingProcessSHA256 in analytics presents a challenge: it is not part of the schema since file event sources do not commonly provide hash values for the process executable:
- If there is a real need to get ActingProcess hash information, it is really recommended to correlate with a process event, probably based on the Acting Process Name. Maybe in this specific case, you want to correlate only with the process event (having the correct Hash for the process probably is much more important than the file names).

GuardDuty

In general, built-in tables do not need to have custom validation jsons. I have raised the issue with Amit and Alaa (who is in charge of the AWS connectors). Probably an issue with updating the validation system with the latest built-in schemas.

Blog Support Queries

1fa3315

aprakash13 requested a review from petebryan November 18, 2021 03:36

aprakash13 assigned petebryan Nov 18, 2021

aprakash13 added 3 commits November 17, 2021 19:52

Update Dev-0228FilePathHashesNovember2021.yaml

d184cf9

Update imFileEvent_Dev-0228FilePathHashesNovember2021-ASIM.yaml

4aaf507

Update imFileEvent_Dev-0228FilePathHashesNovember2021-ASIM.yaml

2fc4f13

aprakash13 and others added 16 commits November 17, 2021 20:25

Update imFileEvent_Dev-0228FilePathHashesNovember2021-ASIM.yaml

aae9d1b

Removing Un-needed file

eb3e998

Merge branch 'Queries_Blog_Support' of https://github.com/azure/azure…

d88ee4c

…-sentinel into Queries_Blog_Support

Updated imFileEvent schema

e5794b6

test update for debugging

7ef62d9

more test debugging

d682c32

more debugging

896e0a6

more debugging

dd65a24

debugging

c50f61d

debugging tests

1776382

Rename AWS_GuardDuty_template.YAML to AWS_GuardDuty_template.yaml

7cf90f7

updating file extension

Adding AWSGuardDuty Table Schema and removing debugging

97d1ed3

Merge branch 'Queries_Blog_Support' of https://github.com/azure/azure…

7e88022

…-sentinel into Queries_Blog_Support

Fixed Guard Duty Query

8b9b827

More fixes for AWS Guard Duty Query

2d35999

Fixes to AWS Guard Duty Query

32f3fc0

petebryan mentioned this pull request Nov 18, 2021

Adding AWS Guard Duty detection #3448

Merged

petebryan approved these changes Nov 18, 2021

View reviewed changes

petebryan merged commit 10b11a0 into master Nov 18, 2021

shainw deleted the Queries_Blog_Support branch November 25, 2021 01:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Blog Support Queries#3471

Blog Support Queries#3471
petebryan merged 20 commits into
masterfrom
Queries_Blog_Support

aprakash13 commented Nov 18, 2021

Uh oh!

oshezaf commented Nov 21, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

aprakash13 commented Nov 18, 2021

Proposed Changes

Uh oh!

oshezaf commented Nov 21, 2021

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants