FIxing potential issues with mvexpand and rule creation failures due to entity types
This commit is contained in:
Shain Wray (MSTIC)
Родитель
0e5a4607d5
Коммит
a764b922a2
|
|
@ -32,5 +32,6 @@ query: |
|
||||||
| summarize TimeGenerated=max(TimeGenerated), userCount = dcount(UserId), UserId = makelist(UserId), ClientIP = makeset(ClientIP) by fwdingDestination
|
| summarize TimeGenerated=max(TimeGenerated), userCount = dcount(UserId), UserId = makelist(UserId), ClientIP = makeset(ClientIP) by fwdingDestination
|
||||||
| where userCount > 1
|
| where userCount > 1
|
||||||
| mvexpand UserId, ClientIP
|
| mvexpand UserId, ClientIP
|
||||||
|
| extend UserId = tostring(UserId), ClientIP = tostring(ClientIP)
|
||||||
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
|
| extend timestamp = TimeGenerated, AccountCustomEntity = UserId, IPCustomEntity = ClientIP
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -38,4 +38,5 @@ query: |
|
||||||
by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName
|
by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName
|
||||||
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
|
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
|
||||||
| mvexpand IPAddress
|
| mvexpand IPAddress
|
||||||
|
| extend IPAddress = tostring(IPAddress)
|
||||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
|
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
|
||||||
|
|
|
||||||
|
|
@ -27,9 +27,10 @@ let IPsFromRareLocations = (v_Account_Name:string, v_Account_AadUserId:string){
|
||||||
LocationPrevalence
|
LocationPrevalence
|
||||||
| summarize makeset(IPAddress), makeset(Location), makeset(LocationCount) , totalActivity = sum(LocationCount) by UserPrincipalName
|
| summarize makeset(IPAddress), makeset(Location), makeset(LocationCount) , totalActivity = sum(LocationCount) by UserPrincipalName
|
||||||
| mvexpand Location = set_Location, LocationCount = set_LocationCount, IPAddress = set_IPAddress
|
| mvexpand Location = set_Location, LocationCount = set_LocationCount, IPAddress = set_IPAddress
|
||||||
|
| extend Location = tostring(Location), LocationCount = toint(LocationCount), IPAddress = tostring(IPAddress)
|
||||||
| extend percentOfActivity = 100*LocationCount/totalActivity
|
| extend percentOfActivity = 100*LocationCount/totalActivity
|
||||||
| where percentOfActivity < 10
|
| where percentOfActivity < 10
|
||||||
| project UserPrincipalName, IPAddress, Location, toint(LocationCount), percentOfActivity
|
| project UserPrincipalName, IPAddress, Location, LocationCount, percentOfActivity
|
||||||
| top 10 by LocationCount asc nulls last
|
| top 10 by LocationCount asc nulls last
|
||||||
| extend Account_Aux_info = pack("LocationCount", LocationCount, "PercentOfActivity", percentOfActivity)
|
| extend Account_Aux_info = pack("LocationCount", LocationCount, "PercentOfActivity", percentOfActivity)
|
||||||
| parse UserPrincipalName with Account_NTDomain "\\" *
|
| parse UserPrincipalName with Account_NTDomain "\\" *
|
||||||
|
|
|
||||||
|
|
@ -39,7 +39,7 @@ query: |
|
||||||
// Get just the InitiatedBy and CorrleationId so we can look at associated audit activity
|
// Get just the InitiatedBy and CorrleationId so we can look at associated audit activity
|
||||||
// 2 other operations that can be part of malicious activity in this situation are
|
// 2 other operations that can be part of malicious activity in this situation are
|
||||||
// "Add OAuth2PermissionGrant" and "Add service principal", replace the below if you are interested in those as starting points for OperationName
|
// "Add OAuth2PermissionGrant" and "Add service principal", replace the below if you are interested in those as starting points for OperationName
|
||||||
let HistoricalConsent = auditLogEvents(30d)
|
let HistoricalConsent = auditLogEvents(auditLookback)
|
||||||
| where OperationName == "Consent to application"
|
| where OperationName == "Consent to application"
|
||||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count()
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), OperationCount = count()
|
||||||
by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id
|
by Type, InitiatedBy, IpAddress, TargetResourceName, Category, OperationName, PropertyName, newValue, CorrelationId, Id
|
||||||
|
|
@ -50,7 +50,7 @@ query: |
|
||||||
| summarize by InitiatedBy, CorrelationId;
|
| summarize by InitiatedBy, CorrelationId;
|
||||||
// 2 other operations that can be part of malicious activity in this situation are
|
// 2 other operations that can be part of malicious activity in this situation are
|
||||||
// "Add OAuth2PermissionGrant" and "Add service principal", replace the below if you changed the starting OperationName above
|
// "Add OAuth2PermissionGrant" and "Add service principal", replace the below if you changed the starting OperationName above
|
||||||
let allOtherEvents = auditLogEvents(30d)
|
let allOtherEvents = auditLogEvents(auditLookback)
|
||||||
| where OperationName != "Consent to application";
|
| where OperationName != "Consent to application";
|
||||||
// Gather associated activity based on audit activity for "Consent to application" and InitiatedBy and CorrleationId
|
// Gather associated activity based on audit activity for "Consent to application" and InitiatedBy and CorrleationId
|
||||||
let CorrelatedEvents = Correlate
|
let CorrelatedEvents = Correlate
|
||||||
|
|
|
||||||
|
|
@ -21,14 +21,15 @@ query: |
|
||||||
(DnsEvents
|
(DnsEvents
|
||||||
| where TimeGenerated >= ago(timeframe)
|
| where TimeGenerated >= ago(timeframe)
|
||||||
| where Name has_any (badNames)
|
| where Name has_any (badNames)
|
||||||
| extend Domain = Name, SourceIp = ClientIP, RemoteIp = IPAddresses
|
| extend Domain = Name, SourceIp = ClientIP, RemoteIP = IPAddresses
|
||||||
| mvexpand RemoteIP),
|
| mvexpand RemoteIP
|
||||||
|
| extend RemoteIP = tostring(RemoteIP)),
|
||||||
(VMConnection
|
(VMConnection
|
||||||
| where TimeGenerated >= ago(timeframe)
|
| where TimeGenerated >= ago(timeframe)
|
||||||
| where isnotempty(RemoteDnsCanonicalNames)
|
| where isnotempty(RemoteDnsCanonicalNames)
|
||||||
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
|
| parse RemoteDnsCanonicalNames with * '["' DNSName '"]' *
|
||||||
| where DNSName has_any (badNames)
|
| where DNSName has_any (badNames)
|
||||||
| extend Domain = DNSName
|
| extend Domain = DNSName, RemoteIP = RemoteIp
|
||||||
))
|
))
|
||||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIp, Computer
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by Domain, SourceIp, RemoteIP, Computer
|
||||||
| extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIp
|
| extend timestamp = StartTimeUtc, HostCustomEntity = Computer, IPCustomEntity = RemoteIP
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче