OtunbaAde001/soc-detection-rules

# SOC 检测规则 本项目包含 Microsoft Sentinel KQL 查询、Sigma 检测规则以及 MITRE ATT&CK 映射 ``` SigninLogs | where ResultType != "0" // Filter for failed sign-ins | summarize Count = count() by UserPrincipalName, bin(TimeGenerated, 1h) | order by Count desc ``` ``` DeviceNetworkEvents | summarize count() by RemoteIP | order by count_ desc ``` ``` let startTime = ago(30d); let endTime = now(); let suspiciousExtensions = dynamic([".locked", ".encrypted", ".crypt"]); let massFileModifications = DeviceNetworkEvents | where Timestamp between (startTime .. endTime) | where ActionType == "FileModified" | summarize Count = count() by FileName, DeviceId | where Count > 100; // Example threshold for mass modifications let highVolumeRenames = DeviceNetworkEvents | where Timestamp between (startTime .. endTime) | where ActionType == "FileRenamed" | summarize Count = count() by FileName, DeviceId | where Count > 100; // Example threshold for high-volume renames let knownRansomwareProcesses = DeviceNetworkEvents | where Timestamp between (startTime .. endTime) | where ProcessName in ("vssadmin.exe", "wbadmin.exe", "bcdedit.exe", "cipher.exe") | summarize Count = count() by ProcessName, DeviceId; let shadowCopyDeletions = DeviceNetworkEvents | where Timestamp between (startTime .. endTime) | where ActionType == "ShadowCopyDeleted" | summarize Count = count() by DeviceId; union massFileModifications, highVolumeRenames, knownRansomwareProcesses, shadowCopyDeletions | summarize TotalCount = sum(Count) by DeviceId | order by TotalCount desc ```

标签：AMSI绕过, EDR, IP 地址批量处理, KQL, M365 Defender, Microsoft Sentinel, 勒索软件, 威胁检测, 安全运营, 影子副本删除, 扫描框架, 文件加密检测, 检测规则, 登录失败分析, 网络安全, 网络流量分析, 网络资产发现, 脆弱性评估, 速率限制, 隐私保护