Merge pull request #2199 from Azure/yaronfr/2021/Apr/ExpFix
Casting and other bug fixes
This commit is contained in:
Yaron
GitHub
Коммит
5b23095ddd
|
|
@ -54,7 +54,7 @@ query: |
|
|||
| top 10 by Host_Aux_FailedLoginsCount
|
||||
| parse Computer with Host_NTDomain '\\' *
|
||||
| extend Host_HostName = tostring(split(Computer,'.')[0]),
|
||||
Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.'), Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
|
||||
Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.'), Host_OMSAgentID=toguid(SourceComputerId), Host_AzureID = _ResourceId
|
||||
| project-away Computer, Account
|
||||
};
|
||||
MostFailedLogins('<Name>','<NTDomain>','<UPNSuffix>')
|
||||
|
|
|
|||
|
|
@ -33,7 +33,7 @@ query: |
|
|||
v_Account_UPNSuffix
|
||||
)
|
||||
| parse UserPrincipalName with Account_Name '@' Account_UPNSuffix
|
||||
| project-rename Account_AadUserId = toguid(UserId)
|
||||
| extend Account_AadUserId = toguid(UserId)
|
||||
| where (isnotempty(Account_Name) and Account_Name =~ p_Account_Name and isnotempty(Account_UPNSuffix) and Account_UPNSuffix =~ p_Account_UPNSuffix)
|
||||
or (isnotempty(Account_AadUserId) and Account_AadUserId == toguid(v_Account_AadUserId))
|
||||
| extend FullLocation = strcat(Location,'|', LocationDetails.state, '|', LocationDetails.city)
|
||||
|
|
|
|||
|
|
@ -32,8 +32,8 @@ query: |
|
|||
| where isnotempty(p_Account_UPN) and p_Account_UPN =~ InitiatingProcessAccountUpn
|
||||
or
|
||||
isnotempty(v_Account_Sid) and v_Account_Sid =~ InitiatingProcessAccountSid
|
||||
| project Host_UnstucturedName = DeviceName
|
||||
| summarize Host_Aux_AppConCount=count() by Host_UnstucturedName
|
||||
| project Host_UnstructuredName = DeviceName
|
||||
| summarize Host_Aux_AppConCount=count() by Host_UnstructuredName
|
||||
| top 10 by Host_Aux_AppConCount desc nulls last
|
||||
};
|
||||
AppControlEvents('<Name>','<UPNSuffix>','<Sid>')
|
||||
|
|
|
|||
|
|
@ -26,10 +26,9 @@ query: |
|
|||
| where AccountType == 'User'
|
||||
| where tolower(Account) contains tolower(v_Account_Name)
|
||||
| extend info = pack('EventID', EventID, 'Account', Account, 'LogonTypeName', LogonTypeName, 'SubStatus', SubStatus, 'AccountType', AccountType, 'WorkstationName', WorkstationName, 'IpAddress', IpAddress)
|
||||
| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer
|
||||
| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId
|
||||
| project Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime = max_TimeGenerated, Host_UnstructuredName=Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId
|
||||
| top 10 by Host_Aux_StartTime asc nulls last
|
||||
};
|
||||
// change <Name> value below
|
||||
GetAllLogonsForUser(tolower('<Name>'))
|
||||
|
||||
GetAllLogonsForUser(tolower('<Name>'))
|
||||
|
|
@ -27,7 +27,7 @@ query: |
|
|||
| where tolower(Account) contains tolower(v_Account_Name)
|
||||
| extend info = pack('EventID', EventID, 'Account', Account, 'LogonTypeName', LogonTypeName, 'SubStatus', SubStatus, 'AccountType', AccountType, 'WorkstationName', WorkstationName, 'IpAddress', IpAddress)
|
||||
| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId
|
||||
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=SourceComputerId, Host_AzureID=_ResourceId
|
||||
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=toguid(SourceComputerId), Host_AzureID=_ResourceId
|
||||
| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
|
||||
| top 10 by Host_Aux_StartTime asc nulls last
|
||||
};
|
||||
|
|
|
|||
|
|
@ -20,7 +20,7 @@ query: |
|
|||
let GetFilesHost = (v_File_Name:string){
|
||||
SecurityEvent
|
||||
| where CommandLine contains v_File_Name or ServiceFileName contains v_File_Name or ServiceName contains v_File_Name
|
||||
| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
|
||||
| summarize min(TimeGenerated), max(TimeGenerated) by Computer, Host_OMSAgentID=toguid(SourceComputerId), Host_AzureID = _ResourceId
|
||||
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_OMSAgentID, Host_AzureID
|
||||
| project-rename Host_UnstructuredName=Computer, Host_Aux_min_TimeGenerated=min_TimeGenerated, Host_Aux_max_TimeGenerated=max_TimeGenerated
|
||||
| top 10 by Host_Aux_min_TimeGenerated desc nulls last
|
||||
|
|
|
|||
|
|
@ -14,12 +14,13 @@ Tactics:
|
|||
- Persistence
|
||||
- LateralMovement
|
||||
query: |
|
||||
|
||||
let BlockedUnsigned = (v_Host_HostName:string){
|
||||
DeviceEvents
|
||||
| where ActionType == "ExploitGuardNonMicrosoftSignedBlocked" and FileName !hassuffix ".ni.dll"
|
||||
| where v_Host_HostName =~ tostring(split(DeviceName, '.')[0])
|
||||
| summarize Count=count() by Process_ProcessId=InitiatingProcessId, Process_CommandLine=InitiatingProcessCommandLine, Process_Host_UnstructuredName=DeviceName
|
||||
| top 10 by Count desc
|
||||
| summarize Process_Aux_Count=count() by Process_ProcessId=InitiatingProcessId, Process_CommandLine=InitiatingProcessCommandLine, Process_Host_UnstructuredName=DeviceName
|
||||
| top 10 by Process_Aux_Count desc
|
||||
};
|
||||
// change <HostName> value below
|
||||
BlockedUnsigned('<HostName>')
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
Id: fdb3e714-c036-4708-a0eb-6ae10a1912a1
|
||||
Id: fdb3e714-c036-4708-a0eb-6ae10a1912a1
|
||||
DisplayName: Least prevalent accounts associated with this IP
|
||||
Description: The bottom 10 count of user account logon attempts from a given IPAddress during a given time period based on SigninLogs (set time range to +-1d when running the query)
|
||||
InputEntityType: Ip
|
||||
|
|
@ -27,8 +27,7 @@ query: |
|
|||
| extend info = pack('AppDisplayName', AppDisplayName, 'ClientAppUsed', ClientAppUsed, 'Browser', tostring(Browser), 'IPAddress', IPAddress, 'ResultType', ResultType, 'ResultDescription', ResultDescription, 'Location', Location, 'State', State, 'City', City, 'StatusCode', StatusCode, 'StatusDetails', StatusDetails)
|
||||
| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId
|
||||
| top 10 by count_ asc nulls last
|
||||
| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, UserId, Account_Aux_info
|
||||
| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_AadUserId=toguid(UserId), Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS
|
||||
};
|
||||
| project Account_Aux_StartTime = min_TimeGenerated, Account_Aux_EndTime = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_AadUserId=toguid(UserId), Account_Aux_info
|
||||
| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId , Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS };
|
||||
// change <Address> value below
|
||||
GetLeastPrevUsersbyIP('<Address>')
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@ query: |
|
|||
| summarize min(EventTime), max(EventTime), count(), Host_Aux_info = makeset(info) by Computer
|
||||
| top 10 by count_ desc nulls last
|
||||
| project Host_Aux_StartTime = min_EventTime, Host_Aux_EndTime = max_EventTime, Computer, Host_Aux_info
|
||||
| project-rename Host_UnstructuredName=Computer, Host_OMSAgentId=SourceComputerId
|
||||
| project-rename Host_UnstructuredName=Computer
|
||||
};
|
||||
// change <Address> value below
|
||||
GetSysLogEventsWithIP('<Address>')
|
||||
|
|
|
|||
|
|
@ -27,8 +27,8 @@ query: |
|
|||
| extend info = pack('AppDisplayName', AppDisplayName, 'ClientAppUsed', ClientAppUsed, 'Browser', tostring(Browser), 'IPAddress', IPAddress, 'ResultType', ResultType, 'ResultDescription', ResultDescription, 'Location', Location, 'State', State, 'City', City, 'StatusCode', StatusCode, 'StatusDetails', StatusDetails)
|
||||
| summarize min(TimeGenerated), max(TimeGenerated), count(), Account_Aux_info = makeset(info) by RemoteHost , UserDisplayName, tostring(OS), UserPrincipalName, AADTenantId, UserId
|
||||
| top 10 by count_ desc nulls last
|
||||
| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, UserId, Account_Aux_info
|
||||
| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_AadUserId=toguid(UserId), Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS
|
||||
| project Account_Aux_StartTimeUtc = min_TimeGenerated, Account_Aux_EndTimeUtc = max_TimeGenerated, RemoteHost, UserDisplayName, OS, UserPrincipalName, AADTenantId, Account_Aux_info, Account_AadUserId=toguid(UserId)
|
||||
| project-rename Account_UnstructuredName=UserPrincipalName, Account_DisplayName=UserDisplayName, Account_AadTenantId=AADTenantId, Account_Host_UnstructuredName=RemoteHost, Account_Host_OSVersion=OS
|
||||
};
|
||||
// change <Address> value below
|
||||
GetMostPrevUsersbyIP('<Address>')
|
||||
|
|
|
|||
|
|
@ -24,4 +24,4 @@ query: |
|
|||
| project File_Name=FileName
|
||||
};
|
||||
// change Process values below
|
||||
BlockedUnsignedFile(<v_Process_ProcessId>,'<v_Process_ImageFile>')
|
||||
BlockedUnsignedFile('<v_Process_ProcessId>','<v_Process_ImageFile>')
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ query: |
|
|||
| extend Host_Aux_info = IP_Aux_info
|
||||
| top 10 by count_ asc
|
||||
| project min_SessionStartTime, Computer, LocalIP, IP_Aux_info, Host_Aux_info
|
||||
| project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime, Host_OMSAgentId=SourceComputerId
|
||||
| project-rename IP_Address=LocalIP, Host_UnstructuredName=Computer, Host_Aux_min_SessionStartTime=min_SessionStartTime
|
||||
};
|
||||
// change <CommandLine> value below
|
||||
GetWireDataInboundWithProcess('<CommandLine>')
|
||||
|
|
|
|||
|
|
@ -27,9 +27,9 @@ query: |
|
|||
| where NewProcessName has v_Process_ImageFile_FullPath
|
||||
| extend info = pack('Account', Account, 'NewProcessName', NewProcessName, 'CommandLine', CommandLine)
|
||||
| summarize min(TimeGenerated), max(TimeGenerated), Host_Aux_info = makeset(info) by Computer, SourceComputerId, _ResourceId
|
||||
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, SourceComputerId, _ResourceId
|
||||
| project min_TimeGenerated, max_TimeGenerated, Computer, Host_Aux_info, Host_OMSAgentID=toguid(SourceComputerId)
|
||||
| top 10 by min_TimeGenerated asc nulls last
|
||||
| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated, Host_OMSAgentID=SourceComputerId, Host_AzureID_ResourceId
|
||||
| project-rename Host_UnstructuredName=Computer, Host_Aux_StartTime=min_TimeGenerated, Host_Aux_EndTime=max_TimeGenerated
|
||||
};
|
||||
// change <CommandLine> value below
|
||||
GetHostsWithProcess('<CommandLine>')
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче