Add KQL validations for ImAuthentication (#4187)
* added KQL validations for ImAuthentication * updated KQL validations * fix Acc2Host_HostWithMostFails
This commit is contained in:
Родитель
29fffc23dd
Коммит
4f2ef115c4
|
@ -12,7 +12,7 @@
|
|||
<IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
|
||||
</PackageReference>
|
||||
<PackageReference Include="YamlDotNet" Version="6.0.0" />
|
||||
<PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="3.0.0" />
|
||||
<PackageReference Include="Microsoft.Azure.Sentinel.KustoServices" Version="3.1.1" />
|
||||
</ItemGroup>
|
||||
|
||||
</Project>
|
||||
|
|
Двоичный файл не отображается.
Двоичные данные
.script/tests/KqlvalidationsTests/Microsoft.Azure.Sentinel.KustoServices.3.1.1.nupkg
Normal file
Двоичные данные
.script/tests/KqlvalidationsTests/Microsoft.Azure.Sentinel.KustoServices.3.1.1.nupkg
Normal file
Двоичный файл не отображается.
|
@ -23,15 +23,5 @@
|
|||
"id": "09c49590-4e9d-4da9-a34d-17222d0c9e7e",
|
||||
"templateName": "PotentiallyHarmfulFileTypes.yaml",
|
||||
"validationFailReason": "The name '_GetWatchList' does not refer to any known function"
|
||||
},
|
||||
{
|
||||
"id": "4c541df8-a680-4da5-96c9-74456927213f",
|
||||
"templateName": "Acc2Host_HostWithMostFails.yaml",
|
||||
"validationFailReason": "The name 'imAuthentication' does not refer to any known function"
|
||||
},
|
||||
{
|
||||
"id": "7f3989bf-1558-4d3c-bb5e-e17ac2a67a87",
|
||||
"templateName": "UserAccount_LogonsFromIPAddress.yaml",
|
||||
"validationFailReason": "The name 'imAuthentication' does not refer to any known function"
|
||||
}
|
||||
]
|
|
@ -17,6 +17,7 @@ Tactics:
|
|||
- LateralMovement
|
||||
- Collection
|
||||
query: |
|
||||
let SuccessfulLoginEventId = 4624;
|
||||
let FailedLoginEventId = 4625;
|
||||
let isimAuthenticationInstalled=toscalar(union isfuzzy=true (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count>1));
|
||||
let Legacy = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){
|
||||
|
|
Загрузка…
Ссылка в новой задаче