Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Updated Queries

This commit is contained in:
Iftekhar Hussain 2020-07-29 20:05:49 +05:30
Родитель 5822a35708
Коммит 9ac3464878
2 изменённых файлов: 3 добавлений и 2 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
Hunting Queries/SQLServer/SQL-MultipleFailedLogon_InShortSpan.yaml
Просмотреть файл

@ -19,6 +19,8 @@ query: |
// The underlying table where the data exists is the Event table. // The underlying table where the data exists is the Event table.
// the timeframe and threshold can be changed below as per requirement // the timeframe and threshold can be changed below as per requirement
// //
let TimeFrame = 1d;
let failedThreshold = 3;
SQLEvent SQLEvent
| where TimeGenerated >= ago(TimeFrame) | where TimeGenerated >= ago(TimeFrame)
| where LogonResult has "failed" | where LogonResult has "failed"

3
Hunting Queries/SQLServer/SQL-New_UserCreated.yaml
Просмотреть файл

@ -22,7 +22,6 @@ query: |
SQLEvent SQLEvent
| where TimeGenerated >= ago(1d) | where TimeGenerated >= ago(1d)
| where Statement has "Create Login" | where Statement has "Create Login"
| parse Statement with "CREATE LOGIN [" TargetUser:string | parse Statement with "CREATE LOGIN [" TargetUser:string "]" *
"]" *
| project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement | project TimeGenerated, Computer, Action, ClientIP, CurrentUser, DatabaseName, TargetUser, ObjectName, Statement
| extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP | extend timestamp = TimeGenerated, AccountCustomEntity = CurrentUser, IPCustomEntity = ClientIP