Fixing up some time syntax and passing thru some more context such as IPAddress and AppDisplayName
This commit is contained in:
Shain Wray (MSTIC)
Родитель
9f73087684
Коммит
d4b1250716
|
|
@ -16,11 +16,11 @@ relevantTechniques:
|
|||
- T1098
|
||||
query: |
|
||||
|
||||
let timeRange = ago(1d);
|
||||
let endtime = 7d;
|
||||
let endtime = 1d;
|
||||
let starttime = 7d;
|
||||
let legacyAuthentications =
|
||||
SigninLogs
|
||||
| where TimeGenerated >= ago(endtime)
|
||||
| where TimeGenerated >= ago(starttime)
|
||||
// success logons only
|
||||
| where ResultType == 0
|
||||
| extend ClientAppUsed = iff(isempty(ClientAppUsed)==true,"Unknown" ,ClientAppUsed)
|
||||
|
|
@ -32,18 +32,17 @@ query: |
|
|||
"Unknown")
|
||||
| where isLegacyAuth=="Yes";
|
||||
legacyAuthentications
|
||||
| where TimeGenerated >= timeRange
|
||||
| where TimeGenerated >= ago(endtime)
|
||||
// Don't alert for accounts already seen using legacy auth in prior 7 days
|
||||
| join kind=leftanti (
|
||||
legacyAuthentications
|
||||
| where TimeGenerated between((timeRange - endtime) .. timeRange)
|
||||
) on UserPrincipalName, ClientAppUsed
|
||||
| where TimeGenerated between(ago(starttime) .. ago(endtime))
|
||||
) on UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress
|
||||
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
|
||||
| extend LocationString= strcat(tostring(LocationDetails["countryOrRegion"]), "/",
|
||||
tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]))
|
||||
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), AttemptCount = count()
|
||||
by isLegacyAuth, UserPrincipalName, ClientAppUsed , tostring(OS) , tostring(Browser) , LocationString
|
||||
| project StartTimeUtc, EndTimeUtc, UserPrincipalName, ClientAppUsed, AttemptCount, isLegacyAuth, OS, Browser, LocationString
|
||||
by UserPrincipalName, ClientAppUsed, AppDisplayName, IPAddress, isLegacyAuth, tostring(OS), tostring(Browser), LocationString
|
||||
| sort by AttemptCount desc nulls last
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
|
||||
|
||||
Загрузка…
Ссылка в новой задаче