diff --git a/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml b/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml index f19034953a..6c5c4351e0 100644 --- a/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml +++ b/Detections/MultipleDataSources/PrivilegedAccountsSigninFailureSpikes.yaml @@ -1,4 +1,4 @@ -id: 2c1808f0-50b8-4d7a-9b2f-6e2a744b9512 +id: 34c5aff9-a8c2-4601-9654-c7e46342d03b name: Privileged Accounts - Sign in Failure Spikes description: | ' Identifies spike in failed sign-ins from Privileged accounts. Privileged accounts list can be based on IdentityInfo UEBA table or built-in watchlist. @@ -68,9 +68,9 @@ query: | | where TimeGenerated > ago(2d) | extend DateHour = bin(TimeGenerated, 1h) // create a new column and round to hour | where DateHour in ((AnomalyHours)) //filter the dataset to only selected anomaly hours - | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), HomeTenantId, OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName + | summarize HourlyCount=count(), LatestAnomalyTime = arg_max(timestamp,*) by bin(TimeGenerated,1h), OperationName, Category, ResultType, ResultDescription, UserPrincipalName, UserDisplayName, AppDisplayName, ClientAppUsed, IPAddress, ResourceDisplayName ) on UserPrincipalName - | project LatestAnomalyTime, HomeTenantId, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score + | project LatestAnomalyTime, OperationName, Category, UserPrincipalName, UserDisplayName, ResultType, ResultDescription, AppDisplayName, ClientAppUsed, UserAgent, IPAddress, Location, AuthenticationRequirement, ConditionalAccessStatus, ResourceDisplayName, HourlyCount, baseline, anomalies, score | extend timestamp = LatestAnomalyTime, IPCustomEntity = IPAddress, AccountCustomEntity = UserPrincipalName entityMappings: - entityType: Account