Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update InsecureProtocols.json 

Filtered Legacy Authentication to success only
Added Export/Open Query buttons to detailed views
Reogranized Insecure LDAP
Fixed TimeRange in NTLM query to follow parameter selection
Other minor improvements
This commit is contained in:
Brian Delaney 2020-11-24 16:18:34 -05:00 коммит произвёл GitHub
Родитель d322964a44
Коммит 4086694c25
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 170 добавлений и 222 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

392
Workbooks/InsecureProtocols.json
Просмотреть файл

@ -29,8 +29,7 @@
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": ""
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "959662e2-5c74-4876-b5c7-0aaeb2de2ca5",
@ -49,8 +48,7 @@
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"value": null
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "d0ab5058-af8c-4ea2-b4a4-8d836769d278",
@ -156,6 +154,7 @@
"style": "tabs",
"links": [
{
"id": "d227db69-0ed6-4a0c-8b32-52d63b6abb97",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Summary",
@ -163,6 +162,7 @@
"style": "link"
},
{
"id": "c98966ad-34ee-4d5e-a887-9d9016bbe936",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "LDAP",
@ -171,6 +171,7 @@
"style": "link"
},
{
"id": "04f95974-97a2-43ac-a2b8-f82fd53b1569",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "NTLM",
@ -178,6 +179,7 @@
"style": "link"
},
{
"id": "c044c677-3a45-4d4c-941d-3f0e1e48f11c",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "SMB",
@ -185,6 +187,7 @@
"style": "link"
},
{
"id": "337ad651-be31-42a7-8ff0-be12c2a4bc6c",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Kerberos",
@ -192,6 +195,7 @@
"style": "link"
},
{
"id": "21019a79-11e5-48e4-97b6-19062f7901c1",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "WDigest",
@ -199,6 +203,7 @@
"style": "link"
},
{
"id": "da0803ba-fee6-4d54-9e66-b9b8611198b7",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "AAD Legacy Auth ",
@ -206,6 +211,7 @@
"style": "link"
},
{
"id": "da70784a-a74b-4272-9b79-2ee727f8081f",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Vulnerable Secure Channel",
@ -219,7 +225,7 @@
{
"type": 1,
"content": {
"json": "### Change Log\r\nBrian Delaney, Clive Watson, Jon Shectman - Microsoft <br>\r\n\t\r\n\tVersion v1.9\r\n\tUpdated AAD Legacy Auth (Exchange ActiveSync)\r\n\r\n\tVersion v1.8\r\n\tAdded Vulnerable Netlogon Secure Channel\r\n\tAdded Legacy Authentication to Summary\r\n\tFixed reporting of Weak Kerberos Cipher in summary\r\n\t\r\n\t\r\n\tVersion v1.7\r\n\tAdded Tabs\r\n\tFixed a bug\r\n\tAdded Timebrushing and Groupings\r\n\tAdded Help sections",
"json": "### Change Log\r\nBrian Delaney, Clive Watson, Jon Shectman - Microsoft <br>\r\n\t\r\n\tVersion v2.0\r\n\tFiltered Legacy Authentication to success only\r\n\tAdded Export/Open Query buttons to detailed views\r\n\tReogranized Insecure LDAP\r\n\tFixed TimeRange in NTLM query to follow parameter selection\r\n\tOther minor improvements\r\n\r\n\tVersion v1.9\r\n\tUpdated AAD Legacy Auth (Exchange ActiveSync)\r\n\r\n\tVersion v1.8\r\n\tAdded Vulnerable Netlogon Secure Channel\r\n\tAdded Legacy Authentication to Summary\r\n\tFixed reporting of Weak Kerberos Cipher in summary\r\n\t\r\n\t\r\n\tVersion v1.7\r\n\tAdded Tabs\r\n\tFixed a bug\r\n\tAdded Timebrushing and Groupings\r\n\tAdded Help sections",
"style": "info"
},
"conditionalVisibility": {
@ -255,7 +261,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
"size": 0,
"title": "Summary of Insecure Protocols: {TimeRange:label}",
"timeContext": {
@ -298,7 +304,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count, TimeGenerated\r\n| union legacyAuth\r\n| where Protocol =~ \"{SelectedProtocol}\" or \"{SelectedProtocol}\" =~ \"All\"\r\n| sort by Count desc\r\n",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count, TimeGenerated\r\n| union legacyAuth\r\n| where Protocol =~ \"{SelectedProtocol}\" or \"{SelectedProtocol}\" =~ \"All\"\r\n| sort by Count desc\r\n",
"size": 0,
"title": "Summary of Insecure Protocols: {TimeRange:label}",
"timeContext": {
@ -338,7 +344,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| summarize FirstOccurance=min(FirstOccurance), LastOccurance=max(LastOccurance), Count=sum(Count) by Protocol\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| summarize FirstOccurance=min(FirstOccurance), LastOccurance=max(LastOccurance), Count=sum(Count) by Protocol\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
"size": 1,
"title": "Summary of Insecure Protobols found in: {TimeRange:label}",
"timeContext": {
@ -539,7 +545,7 @@
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend Title = \"Number of IP Addresses\"\r\n | summarize QueryCount = dcount(IPAddress) by Title//, NumberOfIPs = dcount(IPAddress), NumberOfAccounts = dcount(Account)",
"size": 4,
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
@ -574,7 +580,7 @@
"showBorder": false
}
},
"customWidth": "20",
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
@ -582,6 +588,13 @@
},
"name": "query - 9 - Copy"
},
{
"type": 1,
"content": {
"json": "\r\n### By Account\r\n---"
},
"name": "text - 12"
},
{
"type": 3,
"content": {
@ -590,7 +603,7 @@
"size": 0,
"title": "By Account - click to filter",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Account",
@ -648,6 +661,7 @@
}
]
},
"customWidth": "20",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
@ -659,13 +673,41 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where Account == '{Account:escape}' or '{Account:escape}' == \"All\"\r\n | project Account, IPAddress, Computer, RenderedDescription, UserName, EventID, Time_of_Bind=TimeAgo",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where Account == '{Account:escape}' or '{Account:escape}' == \"All\"\r\n | summarize count() by Account, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Account Details",
"title": "Account events over time - select timebrush",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "LDAPTimebrushAccount",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart"
},
"customWidth": "30",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where Account == '{Account:escape}' or '{Account:escape}' == \"All\"\r\n | extend BindingType = case(BindingType==0,\"Unsigned\",BindingType==1,\"Simple\",\"Unknown\")\r\n | project Account, IPAddress, Computer, RenderedDescription, UserName, EventID, BindingType, Time_of_Bind=TimeAgo",
"size": 0,
"showAnalytics": true,
"title": "Account Details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "LDAPTimebrushAccount",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -725,84 +767,20 @@
]
}
},
"conditionalVisibilities": [
{
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
{
"parameterName": "False",
"comparison": "isEqualTo",
"value": "Yes"
}
],
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 7"
},
{
"type": 3,
"type": 1,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where Account == '{Account:escape}' or '{Account:escape}' == \"All\"\r\n | summarize count() by Account, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Account events over time - select timebrush",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "LDAPTimebrushAccount",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart"
"json": "### By Source IP\r\n---"
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where Account == '{Account:escape}' or '{Account:escape}' == \"All\"\r\n | extend BindingType = case(BindingType==0,\"Unsigned\",BindingType==1,\"Simple\",\"Unknown\")\r\n | summarize Count=count() by Account, bin(TimeGenerated, {TimeRange:grain}), BindingType\r\n| order by Count",
"size": 0,
"title": "Account events over time ({LDAPTimebrushAccount:label})",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "LDAPTimebrushAccount",
"timeBrushParameterName": "LDAPTimebrushAccount",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "TimeGenerated",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 11 - Copy"
"name": "text - 13"
},
{
"type": 3,
@ -812,7 +790,7 @@
"size": 0,
"title": "By Source IP - click to filter",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "IPAddress",
@ -914,6 +892,7 @@
}
]
},
"customWidth": "20",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
@ -925,13 +904,41 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Accounts '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where IPAddress == '{IPAddress:escape}' or '{IPAddress:escape}' == \"All\"\r\n | project IPAddress, Accounts, Computer, RenderedDescription, UserName, EventID, Time_of_Bind=TimeAgo",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Accounts '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where IPAddress == '{IPAddress:escape}' or '{IPAddress:escape}' == \"All\"\r\n | summarize count() by IPAddress, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Source IP Details",
"title": "IP addresses events over time - select timebrush",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "LDAPTimebrushIP",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart"
},
"customWidth": "30",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Accounts '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where IPAddress == '{IPAddress:escape}' or '{IPAddress:escape}' == \"All\"\r\n | extend BindingType = case(BindingType==0,\"Unsigned\",BindingType==1,\"Simple\",\"Unknown\")\r\n | project IPAddress, Accounts, Computer, RenderedDescription, UserName, EventID, BindingType, Time_of_Bind=TimeAgo",
"size": 0,
"showAnalytics": true,
"title": "Source IP Details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "LDAPTimebrushIP",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -975,90 +982,12 @@
}
},
"customWidth": "50",
"conditionalVisibilities": [
{
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
{
"parameterName": "False",
"comparison": "isEqualTo",
"value": "Yes"
}
],
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 8"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Accounts '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where IPAddress == '{IPAddress:escape}' or '{IPAddress:escape}' == \"All\"\r\n | summarize count() by IPAddress, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "IP addresses events over time - select timebrush",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "LDAPTimebrushIP",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart"
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Accounts '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where IPAddress == '{IPAddress:escape}' or '{IPAddress:escape}' == \"All\"\r\n| extend BindingType = case(BindingType==0,\"Unsigned\",BindingType==1,\"Simple\",\"Unknown\")\r\n | summarize Count = count() by IPAddress, bin(TimeGenerated, {TimeRange:grain}), BindingType\r\n | order by Count",
"size": 0,
"title": "IP addresses events over time ({LDAPTimebrushIP:label})",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "LDAPTimebrushIP",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "QueryCount",
"formatter": 4,
"formatOptions": {
"palette": "blue"
}
},
{
"columnMatch": "count_",
"formatter": 0,
"formatOptions": {
"aggregation": "Sum"
}
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 12 - Copy"
}
]
},
@ -1096,6 +1025,10 @@
"query": "SecurityEvent \r\n| where EventID == 4624 \r\n| where AuthenticationPackageName == 'NTLM' \r\n| where LmPackageName == 'NTLM V1' \r\n| where Account !contains 'ANONYMOUS LOGON' \r\n| summarize Count = count() by WorkstationName, Computer \r\n| project WorkstationName, Computer, Count\r\n| order by Count desc\r\n",
"size": 0,
"title": "NTLM v1 events, by Source and server - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "",
"exportParameterName": "WorkstationName",
"exportDefaultValue": "{\"WorkstationName\":\"All\"}",
@ -1188,9 +1121,9 @@
"version": "KqlItem/1.0",
"query": "SecurityEvent \r\n| where EventID == 4624 \r\n| where AuthenticationPackageName == 'NTLM' \r\n| where LmPackageName == 'NTLM V1' \r\n| where Account !contains 'ANONYMOUS LOGON' \r\n| where '{WorkstationName:escape}' contains \"All\" or '{WorkstationName:escape}' contains WorkstationName\r\n| summarize Count=count() by WorkstationName, Day=bin(TimeGenerated, {TimeRange:grain}) ",
"size": 0,
"title": "NTLM v1 events, by time - select to timebrush",
"title": "NTLM v1 events, by time",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "NTLMTimebrush",
@ -1215,11 +1148,12 @@
"version": "KqlItem/1.0",
"query": "SecurityEvent \r\n| where EventID == 4624 \r\n| where AuthenticationPackageName == 'NTLM' \r\n| where LmPackageName == 'NTLM V1' \r\n| where Account !contains 'ANONYMOUS LOGON' \r\n| where '{WorkstationName:escape}' contains \"All\" or ('{WorkstationName:escape}' contains WorkstationName and '{WorkstationName:escape}' contains Computer)\r\n| summarize Count = count() by Account, WorkstationName, DC=Computer, LogonProcessName, TargetDomainName, TargetAccount, IpAddress\r\n| sort by Count desc ",
"size": 0,
"title": "NTLM v1 events details ({NTLMTimebrush:label})",
"showAnalytics": true,
"title": "NTLM v1 events details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "NTLMTimebrush",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1345,11 +1279,13 @@
"version": "KqlItem/1.0",
"query": "Event\r\n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit'\r\n| parse ParameterXml with * '<Param>' ClientAddress '</' *\r\n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress))))\r\n| where Client == '{ClientFilter}' or '{ClientFilter}' == \"All\"\r\n| summarize Count=count() by Client, SMBServer=Computer, ParameterXml, RenderedDescription, EventData\r\n| sort by Count desc",
"size": 1,
"showAnalytics": true,
"title": "SMB v1 event details, by client",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
@ -1439,9 +1375,9 @@
"version": "KqlItem/1.0",
"query": "Event \r\n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit' \r\n| parse ParameterXml with * '<Param>' ClientAddress '</' * \r\n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress)))) \r\n| where Client == '{ClientFilter}' or '{ClientFilter}' == \"All\"\r\n| summarize Count=count() by bin(TimeGenerated, 1h) , SMBServer=Computer \r\n\r\n",
"size": 0,
"title": "SMB v1 events, by server - select to timebrush",
"title": "SMB v1 events, by time",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "SMBtimebrush",
@ -1450,7 +1386,7 @@
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart"
"visualization": "timechart"
},
"customWidth": "50",
"conditionalVisibility": {
@ -1466,11 +1402,12 @@
"version": "KqlItem/1.0",
"query": "Event\r\n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit'\r\n| parse ParameterXml with * '<Param>' ClientAddress '</' *\r\n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress))))\r\n| where Client == '{ClientFilter}' or '{ClientFilter}' == \"All\"\r\n| summarize Count=count() by Client, SMBServer=Computer, ParameterXml, RenderedDescription, EventData\r\n| sort by Count desc",
"size": 0,
"title": "SMBv1 events, by server: {SMBtimebrush:label}",
"showAnalytics": true,
"title": "SMBv1 events, by server",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "SMBtimebrush",
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@ -1738,6 +1675,7 @@
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| summarize Count=count() by Cipher, IpAddress, TargetUserName , ServiceName, Computer, Activity\r\n| sort by Count desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Kerberos weak ciphers event details: {KeberosTimeBrush:label} - select TargetUserName for details",
"timeContext": {
"durationMs": 0
@ -1800,6 +1738,7 @@
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| extend IpAddress = tostring(split(IpAddress,\"f:\").[1])\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n//| where TargetUserName in ('{targetUserNameKerberosParameter}')\r\n| where TargetUserName == '{targetUserNameKerberosParameter:escape}' or '{targetUserNameKerberosParameter:escape}' == \"All\"\r\n| summarize OldestRecord = min(TimeGenerated), NewestRecord = max(TimeGenerated), Count=count() by TargetUserName, Cipher, IpAddress , ServiceName, Computer, Activity\r\n| sort by Count desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Kerberos weak ciphers event details: {targetUserNameKerberosParameter}, {KeberosTimeBrush:label}",
"timeContext": {
"durationMs": 0
@ -1873,9 +1812,10 @@
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| extend IpAddress = tostring(split(IpAddress,\"f:\").[1])\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| summarize OldestRecord = min(TimeGenerated), NewestRecord = max(TimeGenerated), Count=count() by TargetUserName, Cipher, IpAddress , ServiceName, Computer, Activity\r\n| sort by Count desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Kerberos weak ciphers event details unfiltered",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
@ -2095,6 +2035,7 @@
"version": "KqlItem/1.0",
"query": "let details = dynamic({WDigest});\r\nSecurityEvent\r\n| where EventID == 4624 or EventID == 4776\r\n| where Level == 8\r\n| where PackageName contains 'WDigest'\r\n| where (details.Type == 'Workstation' and details.Name == Workstation) or (details.Type == 'TargetAccount' and details.Name == TargetAccount) or (details.Type == '*')\r\n| summarize Count=count() by TargetAccount, Workstation, WDigestServer=Computer , Activity\r\n| sort by Count desc",
"size": 0,
"showAnalytics": true,
"title": "WDigest Account over time {{wDigestTimeBrushAccount:label})",
"timeContext": {
"durationMs": 0
@ -2161,7 +2102,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by UserPrincipalName, ClientAppUsed //doughnut\r\n| order by Count desc",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by UserPrincipalName, ClientAppUsed //doughnut\r\n| order by Count desc",
"size": 0,
"title": "Legacy authentications, by account",
"timeContext": {
@ -2205,11 +2146,11 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by IPAddress,ClientAppUsed //doughnut\r\n| order by Count desc",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by IPAddress,ClientAppUsed //doughnut\r\n| order by Count desc",
"size": 0,
"title": "Legacy authentications, by IP address",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
@ -2245,11 +2186,11 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by UserPrincipalName, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by UserPrincipalName, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
"size": 1,
"title": "Account events over time - select timebrush",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "AADTimebrushAccount",
@ -2319,13 +2260,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by UserPrincipalName, bin(TimeGenerated, {TimeRange:grain})\r\n| order by Count\r\n",
"query": "SigninLogs\r\n| where TimeGenerated between ({AADTimebrushAccount:start}..({AADTimebrushAccount:end}+{AADTimebrushAccount:grain}))\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by UserPrincipalName, ClientAppUsed\r\n",
"size": 1,
"title": "Account events over time ({AADTimebrushAccount:label})",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "AADTimebrushAccount",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
@ -2340,13 +2277,7 @@
"aggregation": "Sum"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"UserPrincipalName"
]
}
]
}
},
"customWidth": "50",
@ -2361,11 +2292,11 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by IPAddress, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by IPAddress, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
"size": 1,
"title": "IPAddresses over time - select timebrush",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "AADTimebrushIPAddress",
@ -2435,13 +2366,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by IPAddress\r\n| order by Count\r\n",
"query": "SigninLogs\r\n| where TimeGenerated between ({AADTimebrushAccount:start}..({AADTimebrushAccount:end}+{AADTimebrushAccount:grain}))\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by IPAddress, ClientAppUsed\r\n| order by Count\r\n",
"size": 1,
"title": "IP events over time ({AADTimebrushIPAddress:label})",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "AADTimebrushIPAddress",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
@ -2483,11 +2410,11 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by ClientAppUsed, UserPrincipalName //bar",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by ClientAppUsed, UserPrincipalName //bar",
"size": 0,
"title": "Legacy authentications, by authentication type",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
@ -2555,11 +2482,11 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by tostring(CountryOrRegion=LocationDetails.countryOrRegion), ClientAppUsed //bar\r\n| order by count_\r\n",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by tostring(CountryOrRegion=LocationDetails.countryOrRegion), ClientAppUsed //bar\r\n| order by count_\r\n",
"size": 0,
"title": "Legacy authentications, by country/region",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
@ -2628,13 +2555,15 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| extend mergeCountry = toupper(LocationDetails.countryOrRegion)\r\n| summarize IPaddress = make_set(IPAddress), Count=count() by UserPrincipalName, ClientAppUsed, tostring(CountryOrRegion=mergeCountry) //table\r\n| order by Count desc",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| extend mergeCountry = toupper(LocationDetails.countryOrRegion)\r\n| summarize IPaddress = make_set(IPAddress), Count=count() by UserPrincipalName, ClientAppUsed, tostring(CountryOrRegion=mergeCountry) //table\r\n| order by Count desc",
"size": 0,
"showAnalytics": true,
"title": "Legacy authentications details",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
@ -2738,12 +2667,11 @@
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), Status",
"size": 1,
"title": "Secure Channel by Time - Select Time Range",
"title": "Secure Channel by Time",
"timeContext": {
"durationMs": 604800000
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "SCTimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
@ -2762,9 +2690,13 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5829, 5830]);\r\nEvent\r\n| where TimeGenerated between({SCTimeBrush:start}..({SCTimeBrush:end}+{TimeRange:grain}))\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" Machine \"</P\" * \"<Param>\" Domain \"</P\" * \"<Param>\" AccountType \"</P\" * \"<Param>\" OperatingSystem \"</P\" *\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize Count=count() by Machine, Status\r\n| order by Count desc",
"query": "let scEvents = dynamic([5827, 5829, 5830]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" Machine \"</P\" * \"<Param>\" Domain \"</P\" * \"<Param>\" AccountType \"</P\" * \"<Param>\" OperatingSystem \"</P\" *\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize Count=count() by Machine, Status\r\n| order by Count desc",
"size": 0,
"title": "By Machine - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Machine",
"exportParameterName": "Machine",
"exportDefaultValue": "All",
@ -2795,9 +2727,15 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5829, 5830]);\r\nEvent\r\n| where TimeGenerated between({SCTimeBrush:start}..({SCTimeBrush:end}+{TimeRange:grain}))\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" Machine \"</P\" * \"<Param>\" Domain \"</P\" * \"<Param>\" AccountType \"</P\" * \"<Param>\" OperatingSystem \"</P\" *\r\n| where Machine =~ \"{Machine}\" or \"{Machine}\" =~ \"All\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by DomainController=Computer, Machine, Domain, AccountType, OperatingSystem, EventID, Status\r\n",
"query": "let scEvents = dynamic([5827, 5829, 5830]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" Machine \"</P\" * \"<Param>\" Domain \"</P\" * \"<Param>\" AccountType \"</P\" * \"<Param>\" OperatingSystem \"</P\" *\r\n| where Machine =~ \"{Machine}\" or \"{Machine}\" =~ \"All\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by DomainController=Computer, Machine, Domain, AccountType, OperatingSystem, EventID, Status\r\n",
"size": 0,
"showAnalytics": true,
"title": "Machine Account Connections",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
@ -2818,9 +2756,13 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5828, 5831]);\r\nEvent\r\n| where TimeGenerated between({SCTimeBrush:start}..({SCTimeBrush:end}+{TimeRange:grain}))\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" AccountType \"</P\" * \"<Param>\" TrustName \"</P\" * \"<Param>\" TrustTarget \"</P\" * \"<Param>\" ClientIP \"</P\" *\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize Count=count() by ClientIP, Status\r\n| order by Count desc",
"query": "let scEvents = dynamic([5828, 5831]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" AccountType \"</P\" * \"<Param>\" TrustName \"</P\" * \"<Param>\" TrustTarget \"</P\" * \"<Param>\" ClientIP \"</P\" *\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize Count=count() by ClientIP, Status\r\n| order by Count desc",
"size": 0,
"title": "By Trust Account - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "ClientIP",
"exportParameterName": "ClientIP",
"exportDefaultValue": "All",
@ -2846,9 +2788,15 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5828, 5831]);\r\nEvent\r\n| where TimeGenerated between({SCTimeBrush:start}..({SCTimeBrush:end}+{TimeRange:grain}))\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" AccountType \"</P\" * \"<Param>\" TrustName \"</P\" * \"<Param>\" TrustTarget \"</P\" * \"<Param>\" ClientIP \"</P\" *\r\n| where ClientIP =~ \"{ClientIP}\" or \"{ClientIP}\" =~ \"All\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by DomainController=Computer, AccountType, TrustName, TrustTarget, ClientIP, EventID, Status",
"query": "let scEvents = dynamic([5828, 5831]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" AccountType \"</P\" * \"<Param>\" TrustName \"</P\" * \"<Param>\" TrustTarget \"</P\" * \"<Param>\" ClientIP \"</P\" *\r\n| where ClientIP =~ \"{ClientIP}\" or \"{ClientIP}\" =~ \"All\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by DomainController=Computer, AccountType, TrustName, TrustTarget, ClientIP, EventID, Status",
"size": 0,
"showAnalytics": true,
"title": "Trust Account Connections",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [