Updated Queries

Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml

@@ -19,6 +19,8 @@ query: |
         // The underlying table where the data exists is the Event table.
         // the timeframe and threshold can be changed below as per requirement
         //
+        let TimeFrame = 1d;
+        let failedThreshold = 3;
         SQLEvent
         | where TimeGenerated >= ago(TimeFrame) 
         | where LogonResult has "failed"

Hunting Queries/SQLServer/SQL-New_UserCreated.yaml

@@ -22,7 +22,6 @@ query: |
         SQLEvent
         | where TimeGenerated >= ago(1d)
         | where Statement has "Create Login"
-        | parse Statement with "CREATE LOGIN [" TargetUser:string
-                              "]" *
+        | parse Statement with "CREATE LOGIN [" TargetUser:string "]" *
         | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement
         | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP