Update ExcessiveLogonFailures.yaml

Updating reason codes and fixing up some syntax.
2020-09-17 09:21:47 -07:00 · 2020-09-17 09:21:47 -07:00 · 7bea0a85d9
--- a/Detections/SecurityEvent/ExcessiveLogonFailures.yaml
+++ b/Detections/SecurityEvent/ExcessiveLogonFailures.yaml
@ -25,7 +25,7 @@ query: |
  | where TimeGenerated >= ago(endtime)
  | where EventID == 4625 and AccountType =~ "User"
  | where IpAddress !in ("127.0.0.1", "::1")
-  | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress
+  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress
  | join kind=leftouter (
      SecurityEvent 
      | where TimeGenerated between (ago(starttime) .. ago(endtime))
@ -35,25 +35,30 @@ query: |
  ) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress
  | where CountToday >= coalesce(CountPrev7day,0)*threshold and CountToday >= countlimit
  | extend Reason = case(
-  SubStatus == '0xc000005e', 'No logon servers available to service the logon request',
-  SubStatus == '0xc0000062', 'Account name is not properly formatted',
-  SubStatus == '0xc0000064', 'Account name does not exist',
-  SubStatus == '0xc000006a', 'Incorrect password',    
-  SubStatus == '0xc000006d', 'Bad user name or password',
-  SubStatus == '0xc000006f', 'User logon blocked by account restriction',
-  SubStatus == '0xc000006f', 'User logon outside of restricted logon hours',
-  SubStatus == '0xc0000070', 'User logon blocked by workstation restriction',
-  SubStatus == '0xc0000071', 'Password has expired',
-  SubStatus == '0xc0000072', 'Account is disabled',
-  SubStatus == '0xc0000133', 'Clocks between DC and other computer too far out of sync',
-  SubStatus == '0xc000015b', 'The user has not been granted the requested logon right at this machine',
-  SubStatus == '0xc0000193', 'Account has expirated',
-  SubStatus == '0xc0000224', 'User is required to change password at next logon',
-  SubStatus == '0xc0000234', 'Account is currently locked out',
+  SubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',
+  SubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',
+  SubStatus =~ '0xC000006A', 'User logon with misspelled or bad password',    
+  SubStatus =~ '0xC000006D', 'Bad user name or password',
+  SubStatus =~ '0xC000006E', 'Unknown user name or bad password',
+  SubStatus =~ '0xC000006F', 'User logon outside authorized hours',
+  SubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',
+  SubStatus =~ '0xC0000071', 'User logon with expired password',
+  SubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',
+  SubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation',  
+  SubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',
+  SubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',
+  SubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',
+  SubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',
+  SubStatus =~ '0xC0000193', 'User logon with expired account',
+  SubStatus =~ '0xC0000224', 'User is required to change password at next logon',
+  SubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',
+  SubStatus =~ '0xC0000234', 'User logon with account locked',
+  SubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',
+  SubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',
  strcat('Unknown reason substatus: ', SubStatus))
  | extend WorkstationName = iff(WorkstationName == "-" or isempty(WorkstationName), Computer , WorkstationName) 
-  | project StartTimeUtc, EndTimeUtc, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = CountPrev7day/7
-  | summarize StartTimeUtc = min(StartTimeUtc), EndTimeUtc = max(EndTimeUtc), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) 
+  | project StartTime, EndTime, EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountPrev7day, Avg7Day = round(CountPrev7day*1.00/7,2)
+  | summarize StartTime = min(StartTime), EndTime = max(EndTime), Computer = make_set(Computer,128), IpAddressList = make_set(IpAddress,128), sum(CountToday), sum(CountPrev7day), avg(Avg7Day) 
  by EventID, Account, LogonTypeName, SubStatus, Reason, AccountType, WorkstationName
  | order by sum_CountToday desc nulls last 
-  | extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = WorkstationName
+  | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = WorkstationName