diff --git a/Azure Services/Lookout/Queries/Diagnostics/Device compliance status.kql b/Azure Services/Lookout/Queries/Diagnostics/Device compliance status.kql new file mode 100644 index 0000000..77920cd --- /dev/null +++ b/Azure Services/Lookout/Queries/Diagnostics/Device compliance status.kql @@ -0,0 +1,65 @@ +// Author: fgravato +// Display name: Device Compliance Status +// Description: Monitors device compliance status, security posture, and MDM integration for mobile devices managed by Lookout. +// Categories: Security +// Resource types: Log Analytics workspaces +// Topic: Diagnostics + +LookoutEvents +| where EventType == "DEVICE" +| where DeviceComplianceStatus in ("Non-Compliant", "Partial") + or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM") + or ChangeType == "UPDATE" +| extend + DeviceRiskScore = case( + DeviceSecurityStatus == "THREATS_HIGH", 9, + DeviceSecurityStatus == "THREATS_MEDIUM", 6, + DeviceSecurityStatus == "THREATS_LOW", 3, + DeviceComplianceStatus == "Non-Compliant", 7, + DeviceComplianceStatus == "Partial", 4, + 1 + ), + ComplianceReason = case( + DeviceCheckinTime < ago(7d), "No Recent Check-in", + DeviceActivationStatus != "ACTIVE", "Inactive Device", + isempty(ClientLookoutSDKVersion), "Missing Security Client", + "Configuration Issue" + ), + PlatformRisk = case( + DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\.", "Outdated Android", + DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\.", "Outdated iOS", + DevicePlatform == "UNKNOWN", "Unknown Platform", + "Current" + ) +| extend MDMIntegrationStatus = case( + isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated", + isnotempty(MDMConnectorId), "Partial Integration", + "Not Integrated" +) +| extend SecurityPosture = case( + DeviceRiskScore >= 8, "Critical", + DeviceRiskScore >= 6, "High", + DeviceRiskScore >= 4, "Medium", + "Low" +) +| project + TimeGenerated, + DeviceGuid, + DevicePlatform, + DeviceOSVersion, + DeviceManufacturer, + DeviceModel, + DeviceEmailAddress, + DeviceActivationStatus, + DeviceSecurityStatus, + DeviceComplianceStatus, + DeviceRiskScore, + SecurityPosture, + ComplianceReason, + PlatformRisk, + DeviceCheckinTime, + ClientLookoutSDKVersion, + MDMConnectorId, + MDMExternalId, + MDMIntegrationStatus +| order by DeviceRiskScore desc, TimeGenerated desc diff --git a/Azure Services/Lookout/Queries/Security/High severity mobile threats.kql b/Azure Services/Lookout/Queries/Security/High severity mobile threats.kql new file mode 100644 index 0000000..be48da2 --- /dev/null +++ b/Azure Services/Lookout/Queries/Security/High severity mobile threats.kql @@ -0,0 +1,65 @@ +// Author: fgravato +// Display name: High Severity Mobile Threats +// Description: Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence, risk scoring, and device context. +// Categories: Security +// Resource types: Log Analytics workspaces +// Topic: Security + +LookoutEvents +| where EventType == "THREAT" +| where ThreatSeverity in ("CRITICAL", "HIGH") +| where ThreatAction == "DETECTED" +| where ThreatStatus in ("OPEN", "ACTIVE") +| extend + ThreatRiskScore = case( + ThreatSeverity == "CRITICAL", 10, + ThreatSeverity == "HIGH", 8, + ThreatSeverity == "MEDIUM", 5, + ThreatSeverity == "LOW", 2, + 1 + ), + DeviceRiskLevel = case( + DeviceSecurityStatus == "THREATS_HIGH", "High", + DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", + DeviceSecurityStatus == "THREATS_LOW", "Low", + "Unknown" + ), + ThreatCategory = case( + ThreatClassifications has "MALWARE", "Malware", + ThreatClassifications has "PHISHING", "Phishing", + ThreatClassifications has "SPYWARE", "Spyware", + ThreatClassifications has "TROJAN", "Trojan", + ThreatClassifications has "ADWARE", "Adware", + "Other" + ) +| extend ComplianceImpact = case( + DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical", + DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", + DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High", + DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium", + "Low" +) +| project + TimeGenerated, + ThreatId, + ThreatType, + ThreatSeverity, + ThreatRiskScore, + ThreatCategory, + ThreatClassifications, + ThreatStatus, + ThreatDescription, + ThreatApplicationName, + ThreatPackageName, + ThreatPackageSha, + DeviceGuid, + DevicePlatform, + DeviceOSVersion, + DeviceManufacturer, + DeviceModel, + DeviceEmailAddress, + DeviceSecurityStatus, + DeviceRiskLevel, + DeviceComplianceStatus, + ComplianceImpact +| order by ThreatRiskScore desc, TimeGenerated desc diff --git a/Azure Services/Lookout/Queries/Security/Multi-vector attack correlation.kql b/Azure Services/Lookout/Queries/Security/Multi-vector attack correlation.kql new file mode 100644 index 0000000..2ce9096 --- /dev/null +++ b/Azure Services/Lookout/Queries/Security/Multi-vector attack correlation.kql @@ -0,0 +1,53 @@ +// Author: fgravato +// Display name: Multi-Vector Attack Correlation +// Description: Identifies devices experiencing multiple threat types within 24 hours, indicating coordinated or sophisticated attacks targeting mobile devices. +// Categories: Security +// Resource types: Log Analytics workspaces +// Topic: Security + +let timeWindow = 24h; +let threatEvents = LookoutEvents +| where TimeGenerated > ago(timeWindow) +| where EventType == "THREAT" +| where ThreatSeverity in ("CRITICAL", "HIGH") +| summarize + ThreatTypes = make_set(ThreatType), + ThreatCount = count(), + FirstThreat = min(TimeGenerated), + LastThreat = max(TimeGenerated), + ThreatClassifications = make_set(ThreatClassifications) + by DeviceGuid, DeviceEmailAddress, DevicePlatform; +let smishingEvents = LookoutEvents +| where TimeGenerated > ago(timeWindow) +| where EventType == "SMISHING_ALERT" +| where SmishingAlertSeverity in ("CRITICAL", "HIGH") +| summarize + SmishingTypes = make_set(SmishingAlertType), + SmishingCount = count(), + FirstSmishing = min(TimeGenerated) + by DeviceGuid; +threatEvents +| join kind=leftouter (smishingEvents) on DeviceGuid +| where ThreatCount >= 2 or SmishingCount >= 1 +| extend AttackDuration = LastThreat - FirstThreat +| extend MultiVectorRisk = case( + ThreatCount >= 3 and SmishingCount >= 1, "Critical", + ThreatCount >= 2 and SmishingCount >= 1, "High", + ThreatCount >= 3, "High", + ThreatCount >= 2, "Medium", + "Low" +) +| project + DeviceGuid, + DeviceEmailAddress, + DevicePlatform, + ThreatTypes, + SmishingTypes, + ThreatCount, + SmishingCount, + AttackDuration, + MultiVectorRisk, + FirstThreat, + LastThreat, + ThreatClassifications +| order by MultiVectorRisk desc, ThreatCount desc diff --git a/Azure Services/Lookout/Queries/Security/Smishing and phishing detection.kql b/Azure Services/Lookout/Queries/Security/Smishing and phishing detection.kql new file mode 100644 index 0000000..136aaab --- /dev/null +++ b/Azure Services/Lookout/Queries/Security/Smishing and phishing detection.kql @@ -0,0 +1,61 @@ +// Author: fgravato +// Display name: Smishing and Phishing Detection +// Description: Detects SMS phishing (smishing) and phishing alerts with impersonation analysis, identifying CEO fraud, credential harvesting, and malicious link campaigns. +// Categories: Security +// Resource types: Log Analytics workspaces +// Topic: Security + +LookoutEvents +| where EventType == "SMISHING_ALERT" +| where SmishingAlertSeverity in ("CRITICAL", "HIGH", "MEDIUM") +| extend + AlertRiskScore = case( + SmishingAlertSeverity == "CRITICAL", 10, + SmishingAlertSeverity == "HIGH", 8, + SmishingAlertSeverity == "MEDIUM", 5, + SmishingAlertSeverity == "LOW", 2, + 1 + ), + ThreatCategory = case( + SmishingAlertType == "PHISHING_DETECTION", "Phishing", + SmishingAlertType == "FRAUD_DETECTION", "Fraud", + SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft", + SmishingAlertType == "MALICIOUS_LINK", "Malicious Link", + "Other" + ), + ImpersonationRisk = case( + SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation", + SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", + SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation", + SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation", + "Generic Phishing" + ) +| extend DeviceRiskLevel = case( + DeviceSecurityStatus == "THREATS_HIGH", "High", + DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", + DeviceSecurityStatus == "THREATS_LOW", "Low", + "Unknown" +) +| extend CampaignIndicators = case( + AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign", + AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack", + AlertRiskScore >= 5, "Coordinated Threat", + "Isolated Incident" +) +| project + TimeGenerated, + SmishingAlertId, + SmishingAlertType, + SmishingAlertSeverity, + SmishingAlertDescription, + AlertRiskScore, + ThreatCategory, + ImpersonationRisk, + CampaignIndicators, + DeviceGuid, + DevicePlatform, + DeviceOSVersion, + DeviceEmailAddress, + DeviceSecurityStatus, + DeviceRiskLevel +| order by AlertRiskScore desc, TimeGenerated desc diff --git a/Azure Services/Lookout/Queries/Usage/Mobile threat summary.kql b/Azure Services/Lookout/Queries/Usage/Mobile threat summary.kql new file mode 100644 index 0000000..2b7f91f --- /dev/null +++ b/Azure Services/Lookout/Queries/Usage/Mobile threat summary.kql @@ -0,0 +1,51 @@ +// Author: fgravato +// Display name: Mobile Threat Summary +// Description: Provides an overview of mobile security metrics including threat counts, device compliance, and platform distribution for Lookout-managed devices. +// Categories: Security +// Resource types: Log Analytics workspaces +// Topic: Usage + +let timeRange = 24h; +let threatSummary = LookoutEvents +| where TimeGenerated > ago(timeRange) +| where EventType == "THREAT" +| summarize + TotalThreats = count(), + CriticalThreats = countif(ThreatSeverity == "CRITICAL"), + HighThreats = countif(ThreatSeverity == "HIGH"), + MediumThreats = countif(ThreatSeverity == "MEDIUM"), + LowThreats = countif(ThreatSeverity == "LOW"), + UniqueDevicesWithThreats = dcount(DeviceGuid), + ThreatTypes = make_set(ThreatType) +| extend SummaryType = "Threats"; +let smishingSummary = LookoutEvents +| where TimeGenerated > ago(timeRange) +| where EventType == "SMISHING_ALERT" +| summarize + TotalSmishingAlerts = count(), + CriticalSmishing = countif(SmishingAlertSeverity == "CRITICAL"), + HighSmishing = countif(SmishingAlertSeverity == "HIGH"), + UniqueDevicesWithSmishing = dcount(DeviceGuid), + SmishingTypes = make_set(SmishingAlertType) +| extend SummaryType = "Smishing"; +let deviceSummary = LookoutEvents +| where TimeGenerated > ago(timeRange) +| where EventType == "DEVICE" +| summarize + TotalDevices = dcount(DeviceGuid), + ActiveDevices = dcountif(DeviceGuid, DeviceActivationStatus == "ACTIVE"), + NonCompliantDevices = dcountif(DeviceGuid, DeviceComplianceStatus == "Non-Compliant"), + HighRiskDevices = dcountif(DeviceGuid, DeviceSecurityStatus == "THREATS_HIGH"), + AndroidDevices = dcountif(DeviceGuid, DevicePlatform == "ANDROID"), + iOSDevices = dcountif(DeviceGuid, DevicePlatform == "IOS") +| extend SummaryType = "Devices"; +let platformBreakdown = LookoutEvents +| where TimeGenerated > ago(timeRange) +| where EventType == "THREAT" +| summarize ThreatsByPlatform = count() by DevicePlatform +| extend SummaryType = "PlatformBreakdown"; +union + (threatSummary | project SummaryType, TotalThreats, CriticalThreats, HighThreats, MediumThreats, LowThreats, UniqueDevicesWithThreats, ThreatTypes), + (smishingSummary | project SummaryType, TotalSmishingAlerts, CriticalSmishing, HighSmishing, UniqueDevicesWithSmishing, SmishingTypes), + (deviceSummary | project SummaryType, TotalDevices, ActiveDevices, NonCompliantDevices, HighRiskDevices, AndroidDevices, iOSDevices), + (platformBreakdown | project SummaryType, DevicePlatform, ThreatsByPlatform)