Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory

Back
Ida333d8bf-22a3-4c55-a1e9-5f0a135c0253
RulenameMicrosoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
DescriptionThis query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR.

In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group,

IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert.

Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 ,

https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972
SeverityHigh
TacticsInitialAccess
TechniquesT1190
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml
Version1.0.3
Arm templatea333d8bf-22a3-4c55-a1e9-5f0a135c0253.json
Deploy To Azure
let mde_threats = dynamic(["Behavior:Win32/SuspAzureRequest.A", "Behavior:Win32/SuspAzureRequest.B", "Behavior:Win32/SuspAzureRequest.C", "Behavior:Win32/LaunchingSuspCMD.B"]);
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join kind=inner ( SecurityAlert
| where ProviderName == "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)
| extend CompromisedEntity = tolower(CompromisedEntity)
) on $left.DeviceName == $right.CompromisedEntity
| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - SecurityAlert
triggerOperator: gt
queryFrequency: 1d
name: Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory
tags:
- CVE-2022-29972
queryPeriod: 1d
metadata:
  categories:
    domains:
    - Security - Threat Protection
  support:
    tier: Community
  author:
    name: Ashwin Patil
  source:
    kind: Community
id: a333d8bf-22a3-4c55-a1e9-5f0a135c0253
description: |
  'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. 
  In Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, 
  IP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. 
  Reference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , 
  https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972'  
severity: High
query: |
  let mde_threats = dynamic(["Behavior:Win32/SuspAzureRequest.A", "Behavior:Win32/SuspAzureRequest.B", "Behavior:Win32/SuspAzureRequest.C", "Behavior:Win32/LaunchingSuspCMD.B"]);
  DeviceInfo
  | extend DeviceName = tolower(DeviceName)
  | join kind=inner ( SecurityAlert
  | where ProviderName == "MDATP"
  | extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
  | extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)
  | where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)
  | extend CompromisedEntity = tolower(CompromisedEntity)
  ) on $left.DeviceName == $right.CompromisedEntity
  | summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities  
version: 1.0.3
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: CompromisedEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: PublicIP
relevantTechniques:
- T1190
tactics:
- InitialAccess
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a333d8bf-22a3-4c55-a1e9-5f0a135c0253')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a333d8bf-22a3-4c55-a1e9-5f0a135c0253')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Microsoft Defender for Endpoint (MDE) signatures for Azure Synapse pipelines and Azure Data Factory",
        "description": "'This query looks for Microsoft Defender for Endpoint detections related to the remote command execution attempts on Azure IR with Managed VNet or SHIR. \nIn Microsoft Sentinel, the SecurityAlerts table includes the name of the impacted device. Additionally, this query joins the DeviceInfo table to connect other information such as device group, \nIP address, signed in users, and others allowing analysts using Microsoft Sentinel to have more context related to the alert. \nReference: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29972 , \nhttps://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-third-party-data-connector-used-in-azure-synapse-pipelines-and-azure-data-factory-cve-2022-29972'\n",
        "severity": "High",
        "enabled": true,
        "query": "let mde_threats = dynamic([\"Behavior:Win32/SuspAzureRequest.A\", \"Behavior:Win32/SuspAzureRequest.B\", \"Behavior:Win32/SuspAzureRequest.C\", \"Behavior:Win32/LaunchingSuspCMD.B\"]);\nDeviceInfo\n| extend DeviceName = tolower(DeviceName)\n| join kind=inner ( SecurityAlert\n| where ProviderName == \"MDATP\"\n| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)\n| extend ThreatFamilyName = tostring(parse_json(ExtendedProperties).ThreatFamilyName)\n| where ThreatName in~ (mde_threats) or ThreatFamilyName in~ (mde_threats)\n| extend CompromisedEntity = tolower(CompromisedEntity)\n) on $left.DeviceName == $right.CompromisedEntity\n| summarize by DisplayName, ThreatName, ThreatFamilyName, PublicIP, AlertSeverity, Description, tostring(LoggedOnUsers), DeviceId, TenantId , bin(TimeGenerated, 1d), CompromisedEntity, tostring(LoggedOnUsers), ProductName, Entities\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "alertRuleTemplateName": "a333d8bf-22a3-4c55-a1e9-5f0a135c0253",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "CompromisedEntity"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "PublicIP"
              }
            ],
            "entityType": "IP"
          }
        ],
        "tags": [
          "CVE-2022-29972"
        ],
        "templateVersion": "1.0.3",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/MDE_hitsforADFandAzureSynapsePipelines.yaml"
      }
    }
  ]
}