Renamed DATP to MDE.

Command and Control/T1105-WIN-001.md

@@ -38,16 +38,16 @@ This detection addresses most of the known ways to utilize this binary for malic
 
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process Monitoring |
-| - | DeviceFileEvents | DATP | File metadata |
+| - | DeviceProcessEvents | MDE | Process Monitoring |
+| - | DeviceFileEvents | MDE | File metadata |
 ​
 ## Hunt details
 
 ### KQL
 
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *This detection addresses most of the known ways to utilize this binary for malicious/unintended purposes. It attempts to accomodate for most detection evasion techniques, like commandline obfuscation and binary renaming*
 **Query:**

Defense Evasion/T1036-WIN-001.md

@@ -33,15 +33,15 @@ By combining the network connection events towards non-private IP addresses with
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceNetworkEvents | DATP | Process use of Network |
-| - | DeviceFileCertificateInfo | DATP | Binary File Metadata |
+| - | DeviceNetworkEvents | MDE | Process use of Network |
+| - | DeviceFileCertificateInfo | MDE | Binary File Metadata |
 ​
 ## Hunt details
 
 ### KQL
 **FP Rate:** *Medium*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *This detection looks at network connections towards non-RFC-1918 IP addresses. Next it queries all the signature of all binaries that are either unsigned of where the signature is untrusted. These two sets are joined and the result is connections by binaries with unsigned or untrusted certificates*
 

Defense Evasion/T1036-WIN-002.md

@@ -26,15 +26,15 @@ This rule detects renamed LOLBINs by first searching for all the known SHA1 hash
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
+| - | DeviceProcessEvents | MDE | Process monitoring |
 | - | - | LOLBAS Project | - |
 
 ## Hunt details
 ### KQL
 
 **FP Rate:** *Medium*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Defense Evasion/T1036-WIN-003.md

@@ -30,15 +30,15 @@ Approach 2: Make a list of the top 100 executed (system) processes. Obtain all u
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
-| - | FileProfile | DATP | Process use of network |
+| - | DeviceProcessEvents | MDE | Process monitoring |
+| - | FileProfile | MDE | Process use of network |
 
 ## Hunt details
 ### KQL
 
 **FP Rate:** *Medium*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Defense Evasion/T1036.003-WIN-001.md

@@ -36,7 +36,7 @@ Next step is to concatenate these two arrays and use that as a base to match all
 
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
+| - | DeviceProcessEvents | MDE | Process monitoring |
 | - | - | LOLBAS Project | - |
 
 ## Hunt details

Defense Evasion/T1036.005-WIN-001.md

@@ -33,15 +33,15 @@ This rule detects mismatches in the parent-child relationship of core operating
 
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
+| - | DeviceProcessEvents | MDE | Process monitoring |
 
 ## Hunt details
 
 ### KQL
 
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Defense Evasion/T1127-WIN-001.md

@@ -34,15 +34,15 @@ This detection looks at process executions, in some cases with specific commandl
 
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process Monitoring |
+| - | DeviceProcessEvents | MDE | Process Monitoring |
 ​
 ## Hunt details
 
 ### KQL
 
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *This detection looks at process executions, in some cases with specific commandline attributes to filter a lot of common noise.*
 

Defense Evasion/T1218-WIN-001.md

@@ -34,15 +34,15 @@ This detection is aimed at identifying ImageLoad events of .CPL which have a "lo
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceImageLoadEvents | DATP | API monitoring |
-| - | FileProfile | DATP | -  |
+| - | DeviceImageLoadEvents | MDE | API monitoring |
+| - | FileProfile | MDE | -  |
 ​
 ## Hunt details
 
 ### KQL
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Defense Evasion/T1562-WIN-001.md

@@ -37,14 +37,14 @@ by @olafhartong on a large sample of malware for varying purposes. Note that thi
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
+| - | DeviceProcessEvents | MDE | Process monitoring |
 
 ## Hunt details
 
 ### KQL
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Execution/T1059.001-WIN-001.md

@@ -34,15 +34,15 @@ The rule identifies all processes that load the System.Management.Automation.dll
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceImageLoadEvents | DATP | Loaded DLLs |
+| - | DeviceImageLoadEvents | MDE | Loaded DLLs |
 | 7 | Image Load            | Sysmon | Loaded DLLs |
 
 ## Hunt details
 
 ### KQL
 **FP Rate:** *Medium*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *Show all executables that load the System.Management.Automation(.ni).dll and exclude powershell.exe and other known binaries that do so.*
 

Execution/T1204-WIN-001.md

@@ -32,16 +32,16 @@ Rule 2 identifies cases where an office process injects code into another proces
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceImageLoadEvents | DATP | Process monitoring, Process Command-line parameters |
-| - | DeviceProcessEvents | DATP | Process monitoring |
-| - | DeviceEvents | DATP | Process monitoring | 
-| - | FileProfile | DATP | -  |
+| - | DeviceImageLoadEvents | MDE | Process monitoring, Process Command-line parameters |
+| - | DeviceProcessEvents | MDE | Process monitoring |
+| - | DeviceEvents | MDE | Process monitoring | 
+| - | FileProfile | MDE | -  |
 ## Hunt details
 ### KQL
 
 **FP Rate:** *Medium*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Initial Access/T1566-WIN-001.md

@@ -27,15 +27,15 @@ The query looks for office applications which spawn a child process and have a b
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
+| - | DeviceProcessEvents | MDE | Process monitoring |
 
 
 ## Hunt details
 ### KQL
 
 **FP Rate:** *Medium*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Initial Access/T1566-WIN-002.md

@@ -27,17 +27,17 @@ The query looks for file downloads from the internet based on network connection
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
-| - | DeviceFileEvents | DATP | Process monitoring |
-| - | DeviceNetworkEvents | DATP | Process monitoring |
+| - | DeviceProcessEvents | MDE | Process monitoring |
+| - | DeviceFileEvents | MDE | Process monitoring |
+| - | DeviceNetworkEvents | MDE | Process monitoring |
 
 
 ## Hunt details
 ### KQL
 
 **FP Rate:** *Medium*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Lateral Movement/T1021-WIN-001.md

@@ -30,16 +30,16 @@ The query might look intimidating given it's size. That's why we've commented th
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
-| - | DeviceNetworkEvents | DATP | Process use of network |
-| - | DeviceFileCertificateInfo | DATP | - |
+| - | DeviceProcessEvents | MDE | Process monitoring |
+| - | DeviceNetworkEvents | MDE | Process use of network |
+| - | DeviceFileCertificateInfo | MDE | - |
 
 ## Hunt details
 ### KQL
 
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 
@@ -104,7 +104,7 @@ serviceNetworkEvents
 * The query ignores everything which happens in the first 60 seconds after the start of services.exe (i.e. system boot), you can consider to increase or decrease this value to tune your sensitivity curve.
 * "msiexec.exe /V" is explicitly whitelisted because of the insane amount of occurences of this specific commandline. I'm not sure why it's there and what is does. Most documention I found online (incorrectly) refer to the /l**v** which is different from /v. It is a valid switch though, based on the error it shows when you run it. Please reach out (0xffhh on Twitter) if you know what it does, so I can update this documentation accordingly. 
 * You might want to whitelist binaries in your environment which are known good to reduce the noise. Watch out for LOLBINs though.
-* Improve the filtering to use FileInfo instead of the DeviceFileCertificate table. During my testing, this function seemed temporary broken in DATP. 
+* Improve the filtering to use FileInfo instead of the DeviceFileCertificate table. During my testing, this function seemed temporary broken in MDE. 
 
 ## False Positives
 *  msiexec.exe /v

Lateral Movement/T1021-WIN-002.md

@@ -28,15 +28,15 @@ The query first identifies incoming network traffic over RPC/TCP followed by the
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
-| - | DeviceNetworkEvents | DATP | Process use of network |
+| - | DeviceProcessEvents | MDE | Process monitoring |
+| - | DeviceNetworkEvents | MDE | Process use of network |
 
 ## Hunt details
 ### KQL
 
 **FP Rate:** *High*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Lateral Movement/T1021.001-WIN-001.md

@@ -34,16 +34,16 @@ Monitor for the behavior that SharpRDP exhibits on the target system. The most r
 
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process monitoring |
-| - | DeviceLogonEvents | DATP | Authentication logs |
+| - | DeviceProcessEvents | MDE | Process monitoring |
+| - | DeviceLogonEvents | MDE | Authentication logs |
 
 ## Hunt details
 
 ### KQL
 
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *See above*
 

Persistence/T1053.005-WIN-001.md

@@ -33,15 +33,15 @@ Scheduled tasks run with svchost parent process and parent process command line
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceProcessEvents | DATP | Process command-line parameters, Process monitoring, Windows event logs |
+| - | DeviceProcessEvents | MDE | Process command-line parameters, Process monitoring, Windows event logs |
 
 ​
 ## Hunt details
 
 ### KQL
 **FP Rate:** *Medium*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *Scheduled tasks run with svchost parent process and parent process command line arguments "-k netsvcs -p -s Schedule". This detection rule obtains unique hashes of binaries that are running with this parent process. To identify potential malicious binaries only the unsigned binaries with a low global prevalence are retained.*
 

Persistence/T1176-WIN-001.md

@@ -36,14 +36,14 @@ The most common ones are autmented with an ExtensionName field, the unknown ones
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceFileEvents | DATP | File Monitoring |
+| - | DeviceFileEvents | MDE | File Monitoring |
 ​
 ## Hunt details
 
 ### KQL
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *First a recerence list is created with known/fairly trusted extensions. Next the new file create events are filtered and the ExtensionID is regexed from the path which is joined with the KnownExtensions reference list*
 

Persistence/T1543.003-WIN-001.md

@@ -35,16 +35,16 @@ The provided detection is looking at established incoming connections towards th
 
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceRegistryEvents | DATP | Windows Registry |
-| - | DeviceNetworkEvents | DATP | Network Monitoring |
+| - | DeviceRegistryEvents | MDE | Windows Registry |
+| - | DeviceNetworkEvents | MDE | Network Monitoring |
 
 ## Hunt details
 
 ### KQL
 
 **FP Rate:** *High*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:**
 

Persistence/T1546.015-WIN-001.md

@@ -34,15 +34,15 @@ Look for the very specific value of "Attribute" in the "ShellFolder" CLSID of a
 ## Utilized Data Source
 | Event ID | Event Name | Log Provider | ATT&CK Data Source |
 |---------|---------|----------|---------|
-| - | DeviceRegistryEvents | DATP | Windows Registry |
+| - | DeviceRegistryEvents | MDE | Windows Registry |
 
 ​
 ## Hunt details
 
 ### KQL
 **FP Rate:** *Low*
 
-**Source:** *DATP*
+**Source:** *MDE*
 
 **Description:** *Find all registry events where the Attribute value has been set to this very specific IoC value or bigger*