From 948bc4e1697d0675e0b63fc0e937e64c5557ed89 Mon Sep 17 00:00:00 2001 From: Elleinshar <159253107+Elleinshar@users.noreply.github.com> Date: Mon, 4 Aug 2025 18:35:37 +0200 Subject: [PATCH 1/5] Adding new table for ThreatIntelIndicator --- ...raph activity with MS Sentinel Threat Intelligence.kql | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql b/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql index d0c65c1..b4dcd56 100644 --- a/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql +++ b/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql @@ -8,6 +8,14 @@ MicrosoftGraphActivityLogs | distinct IPAddress | join ThreatIntelligenceIndicator on $left.IPAddress == $right.NetworkIP +// Add New Query for new Table ThreatIntelIndicator as the previous one is deprecated and will shut down soon. + +MicrosoftGraphActivityLogs +| where TimeGenerated > ago(1h) +| distinct IPAddress +| join kind = inner (ThreatIntelligenceIndicator +| where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic"))on $left.IPAddress == $right.ObservableValue + //Microsoft have released a new premium user risk detection in Identity Protection called Suspicious API Traffic. This detection is reported when Identity Protection detects anomalous Graph traffic by a user. Suspicious API traffic might suggest that a user is compromised and conducting reconnaissance in their environment. SigninLogs From 038fead07e43cf7d3fe998bff3af792e670192b7 Mon Sep 17 00:00:00 2001 From: Elleinshar <159253107+Elleinshar@users.noreply.github.com> Date: Mon, 4 Aug 2025 18:37:40 +0200 Subject: [PATCH 2/5] Update Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql --- ...s MS graph activity with MS Sentinel Threat Intelligence.kql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql b/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql index b4dcd56..8d93db8 100644 --- a/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql +++ b/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql @@ -8,7 +8,7 @@ MicrosoftGraphActivityLogs | distinct IPAddress | join ThreatIntelligenceIndicator on $left.IPAddress == $right.NetworkIP -// Add New Query for new Table ThreatIntelIndicator as the previous one is deprecated and will shut down soon. +// Add New Query for new Table ThreatIntelIndicator as the previous one is deprecated and will shut down soon. Ref : https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators MicrosoftGraphActivityLogs | where TimeGenerated > ago(1h) From 31395c7d88ea79febb1d7092d131f29f48d946dd Mon Sep 17 00:00:00 2001 From: Elleinshar <159253107+Elleinshar@users.noreply.github.com> Date: Mon, 4 Aug 2025 18:45:07 +0200 Subject: [PATCH 3/5] Add new Table ThreatIntelIndicator --- ... TeamsPhisher attack with Azure Sentinel.kql | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Sentinel/Detecting TeamsPhisher attack with Azure Sentinel.kql b/Sentinel/Detecting TeamsPhisher attack with Azure Sentinel.kql index 44bcd9a..9e29468 100644 --- a/Sentinel/Detecting TeamsPhisher attack with Azure Sentinel.kql +++ b/Sentinel/Detecting TeamsPhisher attack with Azure Sentinel.kql @@ -15,6 +15,23 @@ and UserId !endswith "your_corporate_domain_3" | distinct UserIPs | join ThreatIntelligenceIndicator on $left.UserIPs == $right.NetworkIP +// Upgrade Detection to new Table ThreatIntelIndicators. Ref : https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators + +OfficeActivity +| where TimeGenerated > ago(1h) +| where RecordType =~ 'MicrosoftTeams' +| where Operation == "MessageCreatedHasLink" +| where CommunicationType == "OneOnOne" or CommunicationType == "GroupChat" +| where UserId !endswith "your_corporate_domain_1" // Filter off all internal teams user 1-to-1 message +and UserId !endswith "your_corporate_domain_2" +and UserId !endswith "your_corporate_domain_3" +| extend UserDomains = tostring(split(UserId, '@')[1]) +| extend UserIPs = tostring(split(ClientIP, '::ffff:')[1]) +| where UserIPs != "" +| distinct UserIPs +| join kind = inner ThreatIntelIndicators +| where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic") )on $left.UserIPs == $right.ObservableValue + // MITRE ATT&CK Mapping // Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant: From d19f7ab4b9aa33b847c294b89b2d700c54d2828f Mon Sep 17 00:00:00 2001 From: Elleinshar <159253107+Elleinshar@users.noreply.github.com> Date: Mon, 4 Aug 2025 18:45:17 +0200 Subject: [PATCH 4/5] Change Table Name --- ...MS graph activity with MS Sentinel Threat Intelligence.kql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql b/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql index 8d93db8..0a6a7b8 100644 --- a/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql +++ b/Sentinel/Defending malicious MS graph activity with MS Sentinel Threat Intelligence.kql @@ -8,12 +8,12 @@ MicrosoftGraphActivityLogs | distinct IPAddress | join ThreatIntelligenceIndicator on $left.IPAddress == $right.NetworkIP -// Add New Query for new Table ThreatIntelIndicator as the previous one is deprecated and will shut down soon. Ref : https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators +// Add New Query for new Table ThreatIntelIndicators as the previous one is deprecated and will shut down soon. Ref : https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators MicrosoftGraphActivityLogs | where TimeGenerated > ago(1h) | distinct IPAddress -| join kind = inner (ThreatIntelligenceIndicator +| join kind = inner (ThreatIntelIndicators | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic"))on $left.IPAddress == $right.ObservableValue //Microsoft have released a new premium user risk detection in Identity Protection called Suspicious API Traffic. This detection is reported when Identity Protection detects anomalous Graph traffic by a user. Suspicious API traffic might suggest that a user is compromised and conducting reconnaissance in their environment. From a328dd731ae6f088f2dae1839459df9ca1d5250a Mon Sep 17 00:00:00 2001 From: Elleinshar <159253107+Elleinshar@users.noreply.github.com> Date: Mon, 4 Aug 2025 18:46:53 +0200 Subject: [PATCH 5/5] Add new Table THreatIntelIndicators --- ...365 Copilot Extensions Threat Monitoring.kql | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/Sentinel/M365 Copilot Extensions Threat Monitoring.kql b/Sentinel/M365 Copilot Extensions Threat Monitoring.kql index 131cf48..06d53d2 100644 --- a/Sentinel/M365 Copilot Extensions Threat Monitoring.kql +++ b/Sentinel/M365 Copilot Extensions Threat Monitoring.kql @@ -24,6 +24,23 @@ CloudAppEvents | extend Action = tostring(PluginAccessURL.Action) | join ThreatIntelligenceIndicator on $left.Domain == $right.DomainName +// Upgrade Detection to new Table ThreatIntelIndicators. Ref : https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators + +CloudAppEvents +| where TimeGenerated > ago(1h) +| where ActionType == @"CopilotInteraction" +| extend UserID = tostring(RawEventData.UserId) +| extend CopilotData = todynamic(RawEventData.CopilotEventData) +| extend CopilotPlugin = tostring(CopilotData.AISystemPlugin[0].Id) +| where isnotempty(CopilotPlugin) +| extend PluginAccessURL = tostring(CopilotData.AccessedResources) +| mv-expand todynamic(PluginAccessURL) +| where PluginAccessURL has "SiteUrl" +| extend Url = tostring(PluginAccessURL.SiteUrl) +| extend Domain = tostring(parse_url(Url).Host) +| extend Action = tostring(PluginAccessURL.Action) +| join kind = inner (ThreatIntelligenceIndicator +| where IndicatorType == "domain-name" )on $left.Domain == $right.ObservableValue // MITRE ATT&CK // T1116 Browser Extensions