updating fix after resolving conflicts

2021-06-21 13:20:23 -07:00 · 2021-06-21 13:20:23 -07:00 · 3ff6111bed
--- a/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml
+++ b/Detections/MultipleDataSources/MultiplePasswordresetsbyUser.yaml
@ -47,7 +47,7 @@ query: |
  | where OperationName has_any (pWord) and OperationName has_any (action)
  | extend AccountType = tostring(TargetResources[0].type), Account = tostring(TargetResources[0].userPrincipalName), 
  TargetResourceName = tolower(tostring(TargetResources[0].displayName))
-  | project TimeGenerated, AccountType, Account, Computer = TargetResourceName, Type),
+  | project TimeGenerated, AccountType, Account, Computer = "", Type),
  (//OfficeActive ActiveDirectory Password reset events
  OfficeActivity
  | where OfficeWorkload == "AzureActiveDirectory" 
@ -59,26 +59,23 @@ query: |
  | where Facility in ("auth","authpriv")
  | where SyslogMessage has_any (pWord) and SyslogMessage has_any (action)
  | extend AccountType = iif(SyslogMessage contains "root", "Root", "Non-Root")
+  | where SyslogMessage matches regex ".*password changed for.*"
  | parse SyslogMessage with * "password changed for" Account
-  | project TimeGenerated, AccountType, Account, Computer = HostName, Type),
-  (SigninLogs
-  | where OperationName =~ "Sign-in activity" and ResultType has_any ("50125", "50133")
-  | project TimeGenerated, AccountType = AppDisplayName, Computer = IPAddress, Account = UserPrincipalName, Type
-  )
+  | project TimeGenerated, AccountType, Account, Computer = HostName, Type)
  );
  let pwrmd = PasswordResetMultiDataSource
  | project TimeGenerated, Computer, AccountType, Account, Type;
  (union isfuzzy=true  
  (pwrmd
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), AccountType = makeset(AccountType), Total=count() by Account, Type
+  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computerlist = make_set(Computer, 25), AccountType = make_set(AccountType, 25), Computer = arg_max(Computer , TimeGenerated), Total=count() by Account, Type
  | where Total > PerUserThreshold
  | extend ResetPivot = "PerUserReset"),  
  (pwrmd
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Computer = makeset(Computer), Account = tostring(makeset(Account)), AccountType = makeset(AccountType), Total=count() by Type
+  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ComputerList = make_set(Computer, 25), AccountList = make_set(Account, 25), AccountType = make_set(AccountType, 25), Account = arg_max(Account, TimeGenerated), Computer = arg_max(Computer , TimeGenerated), Total=count() by Type
  | where Total > TotalThreshold
  | extend ResetPivot = "TotalUserReset")
  )
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = tostring(Computer)
+  | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer
 entityMappings:
  - entityType: Account
    fieldMappings:
@ -88,4 +85,4 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: HostCustomEntity
-version: 1.0.0
+version: 2.0.0