Update gte_6_FailedLogons_10m.yaml
This commit is contained in:
Родитель
414cece17d
Коммит
69b5c47f08
|
@ -16,7 +16,6 @@ tactics:
|
||||||
relevantTechniques:
|
relevantTechniques:
|
||||||
- T1110
|
- T1110
|
||||||
query: |
|
query: |
|
||||||
|
|
||||||
let timeframe = 10m;
|
let timeframe = 10m;
|
||||||
let threshold = 20;
|
let threshold = 20;
|
||||||
SecurityEvent
|
SecurityEvent
|
||||||
|
@ -52,4 +51,4 @@ query: |
|
||||||
Activity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName,
|
Activity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName,
|
||||||
LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress
|
LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress
|
||||||
| where FailedLogonCount >= threshold
|
| where FailedLogonCount >= threshold
|
||||||
| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
|
| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
|
||||||
|
|
Загрузка…
Ссылка в новой задаче