Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection : External User Added to Team and Immediately Uploads File #3556

Merged
merged 5 commits into from
Dec 30, 2021
Merged

Detection : External User Added to Team and Immediately Uploads File #3556

merged 5 commits into from
Dec 30, 2021

Conversation

samikroy
Copy link
Contributor

Proposed Changes

This detection identifies an external user is added to a Team or Teams chat
and within 1 minute of being added upload a file via the chat.

@samikroy
Detection : External User Added to Team and Immediately Uploads File
d47a2b8 
This detection identifies an external user is added to a Team or Teams chat
 and within 1 minute of being added upload a file via the chat.
@ep3p
Copy link
Contributor

ep3p commented Nov 27, 2021

You may want to specify the kind of join to not lose events of the left table.

@samikroy
Copy link
Contributor Author

You may want to specify the kind of join to not lose events of the left table.

Thank you for the review @ep3p .
Have added inner as a join kind to avoid default innerunique picking a random one.
Please let know further.

@aprakash13 aprakash13 self-assigned this Nov 29, 2021
@shainw
Copy link
Contributor

shainw commented Nov 30, 2021

Adding @petebryan as he did the Hunting query that this is based on and he may have tested to see if this type of detection was too noisy for a detection - https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/UserAddToTeamsAndUploadsFile.yaml.. @petebryan - thoughts?

@samikroy
Copy link
Contributor Author

Adding @petebryan as he did the Hunting query that this is based on and he may have tested to see if this type of detection was too noisy for a detection - https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/OfficeActivity/UserAddToTeamsAndUploadsFile.yaml.. @petebryan - thoughts?

@petebryan - please share your thoughts

@petebryan
Copy link
Contributor

@samikroy so when I first created this we didn't have an official Teams connector publicly available yet so we had limited data to determine FP rate. However in the data did show this was potentially quite noisy. It would be good to re-evaluate to see if that is still the case.

@samikroy
Copy link
Contributor Author

samikroy commented Dec 2, 2021

@samikroy so when I first created this we didn't have an official Teams connector publicly available yet so we had limited data to determine FP rate. However in the data did show this was potentially quite noisy. It would be good to re-evaluate to see if that is still the case.

Agree @petebryan , this detection now applies few more filters

External User Added > File Uploaded > File is accessed by many users > External user is removed.
Please have a look and let me know
Thank you.

shainw
shainw previously approved these changes Dec 2, 2021
View reviewed changes
Copy link
Contributor

@shainw shainw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some testing and looks like looking only for #EXT# (external users) and checking for within 1m has very low results. Approving and we will watch if alerts start to flood for some customers.

@shainw shainw added the Detection Detection specialty review needed label Dec 30, 2021
@shainw shainw merged commit bb976ea into Azure:master Dec 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shainw shainw shainw approved these changes

@Amitbergman Amitbergman Awaiting requested review from Amitbergman

@aprakash13 aprakash13 Awaiting requested review from aprakash13

@ashwin-patil ashwin-patil Awaiting requested review from ashwin-patil

@dicolanl dicolanl Awaiting requested review from dicolanl

@ianhelle ianhelle Awaiting requested review from ianhelle

@juliango2100 juliango2100 Awaiting requested review from juliango2100

@laithhisham laithhisham Awaiting requested review from laithhisham

@liatlishams liatlishams Awaiting requested review from liatlishams

@liemilyg liemilyg Awaiting requested review from liemilyg

@lior-tamir lior-tamir Awaiting requested review from lior-tamir

@mgladi mgladi Awaiting requested review from mgladi

@nazang nazang Awaiting requested review from nazang

@NoamLandress NoamLandress Awaiting requested review from NoamLandress

@oshezaf oshezaf Awaiting requested review from oshezaf

@oshvartz oshvartz Awaiting requested review from oshvartz

@petebryan petebryan Awaiting requested review from petebryan

@preetikr preetikr Awaiting requested review from preetikr

@sagamzu sagamzu Awaiting requested review from sagamzu

@sarah-yo sarah-yo Awaiting requested review from sarah-yo

@shschwar shschwar Awaiting requested review from shschwar

@sreedharande sreedharande Awaiting requested review from sreedharande

@timbMSFT timbMSFT Awaiting requested review from timbMSFT

@Yaniv-Shasha Yaniv-Shasha Awaiting requested review from Yaniv-Shasha

@YaronFruchtmann YaronFruchtmann Awaiting requested review from YaronFruchtmann

@YuvalNaor YuvalNaor Awaiting requested review from YuvalNaor

Assignees

@petebryan petebryan

@shainw shainw

Labels
Detection Detection specialty review needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@samikroy @ep3p @shainw @petebryan @aprakash13