This repository contains Threat Intelligence content from Western Australian Security Operations Center.
The following Analytic rules can be deployed to Microsoft Sentinel environment to enable the detection of suspicious/potentially malicious activity based on Threat Intelligence shared by WASOC.
| Rule Name | Deploy Rule |
|---|---|
| Phishing domain-name accessed by users - DeviceNetworkEvents | |
| Phishing Url accessed by users - DeviceEvents | |
| Phishing Url clicked by users - UrlClickEvents | |
| Suspicious sign-in attempts from malicious IPs related to phishing - OfficeActivity | |
| Office Activity from malicious IPs related to phishing - OfficeActivity | |
| Phishing email potentially delivered to users mailbox | |
| Detect inbound traffic from IP address(s) known (by WASOC) for active exploitation of vulnerabilities |
Click on the Deploy to Azure button on the table in 'Analytic Rules and deployments' and follow the below instructions for the deployment.
Fill in the relevant details of the listed items as noted below.
- Select the Subscription your workspace is under
- Select the specific Resource Group
- Select the Region
- Provide your Workspace Name found under Log Analytics workspace settings
- Leave the newGuid() to generate a unique Rule Id for your rule
Ensure the details provided in the previous stage are all accurate and proceed to the next step.
If the analytic rule has been successfully deployed, you will see the below screen. Click on the 'Go to Resource' button to view the deployed analytic rule(s). You can also navigate to the Analytics blade in the Microsoft Sentinel environment to confirm if the rules have successfully been deployed.
