Merge pull request #1090 from Azure/BugFix_FailedLogonAttemptswithin10m
Bug fix failed logon attemptswithin10m
This commit is contained in:
Коммит
ee7e10ef0e
|
@ -1,7 +1,7 @@
|
|||
id: 0777f138-e5d8-4eab-bec1-e11ddfbc2be2
|
||||
name: Failed logon attempts within 10 mins
|
||||
name: Failed logon attempts by valid accounts within 10 mins
|
||||
description: |
|
||||
'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum).'
|
||||
'Identifies when failed logon attempts are 20 or higher during a 10 minute period (2 failed logons per minute minimum) from valid account.'
|
||||
severity: Low
|
||||
requiredDataConnectors:
|
||||
- connectorId: SecurityEvents
|
||||
|
@ -23,9 +23,33 @@ query: |
|
|||
| where TimeGenerated >= ago(timeframe)
|
||||
| where EventID == 4625
|
||||
| where AccountType =~ "User"
|
||||
| summarize min(TimeGenerated), max(TimeGenerated), FailedLogonCount = count() by EventID, Activity, Computer, Account,
|
||||
TargetAccount, TargetUserName, TargetDomainName, LogonType, LogonTypeName, LogonProcessName, Status, SubStatus
|
||||
| where SubStatus !='0xc0000064' and Account !in ('\\', '-\\-')
|
||||
// SubStatus '0xc0000064' signifies 'Account name does not exist'
|
||||
| extend ResourceId = column_ifexists("_ResourceId", _ResourceId), SourceComputerId = column_ifexists("SourceComputerId", SourceComputerId)
|
||||
| extend Reason = case(
|
||||
SubStatus =~ '0xC000005E', 'There are currently no logon servers available to service the logon request.',
|
||||
SubStatus =~ '0xC0000064', 'User logon with misspelled or bad user account',
|
||||
SubStatus =~ '0xC000006A', 'User logon with misspelled or bad password',
|
||||
SubStatus =~ '0xC000006D', 'Bad user name or password',
|
||||
SubStatus =~ '0xC000006E', 'Unknown user name or bad password',
|
||||
SubStatus =~ '0xC000006F', 'User logon outside authorized hours',
|
||||
SubStatus =~ '0xC0000070', 'User logon from unauthorized workstation',
|
||||
SubStatus =~ '0xC0000071', 'User logon with expired password',
|
||||
SubStatus =~ '0xC0000072', 'User logon to account disabled by administrator',
|
||||
SubStatus =~ '0xC00000DC', 'Indicates the Sam Server was in the wrong state to perform the desired operation',
|
||||
SubStatus =~ '0xC0000133', 'Clocks between DC and other computer too far out of sync',
|
||||
SubStatus =~ '0xC000015B', 'The user has not been granted the requested logon type (aka logon right) at this machine',
|
||||
SubStatus =~ '0xC000018C', 'The logon request failed because the trust relationship between the primary domain and the trusted domain failed',
|
||||
SubStatus =~ '0xC0000192', 'An attempt was made to logon, but the Netlogon service was not started',
|
||||
SubStatus =~ '0xC0000193', 'User logon with expired account',
|
||||
SubStatus =~ '0xC0000224', 'User is required to change password at next logon',
|
||||
SubStatus =~ '0xC0000225', 'Evidently a bug in Windows and not a risk',
|
||||
SubStatus =~ '0xC0000234', 'User logon with account locked',
|
||||
SubStatus =~ '0xC00002EE', 'Failure Reason: An Error occurred during Logon',
|
||||
SubStatus =~ '0xC0000413', 'Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine',
|
||||
strcat('Unknown reason substatus: ', SubStatus))
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), FailedLogonCount = count() by EventID,
|
||||
Activity, Computer, Account, TargetAccount, TargetUserName, TargetDomainName,
|
||||
LogonType, LogonTypeName, LogonProcessName, Status, SubStatus, Reason, ResourceId, SourceComputerId, WorkstationName, IpAddress
|
||||
| where FailedLogonCount >= threshold
|
||||
| project StartTimeUtc = min_TimeGenerated, EndTimeUtc = max_TimeGenerated, FailedLogonCount, EventID, Activity, Computer,
|
||||
Account, TargetAccount, TargetUserName, TargetDomainName, LogonType, LogonTypeName, LogonProcessName, Status, SubStatus
|
||||
| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer
|
||||
| extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
|
Загрузка…
Ссылка в новой задаче