Bringing in alerts requested by customer

Detections/SecurityEvent/ExcessiveLogonFailures.txt

@@ -0,0 +1,32 @@
+// Name: Excessive logon failures
+// Description: User has over 50 logon failures today and at least 25% of the count of logon failures previous 7 days
+//
+// Id: 2391ce61-8c8d-41ac-9723-d945b2e90720
+//
+// Severity: Low
+//
+// QueryFrequency: 1d
+//
+// QueryPeriod: 7d
+//
+// DataSource: #SecurityEvent
+//
+// Techniques: #LateralMovement, #Probing
+//
+let timeframe = 7d;
+let threshold = 0.25;
+let countlimit = 50;
+SecurityEvent
+| where TimeGenerated >= ago(1d)
+| where EventID == 4625
+| where AccountType == "User"
+| summarize CountToday = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress
+| join (
+    SecurityEvent 
+    | where TimeGenerated >= ago(timeframe)
+    | where EventID == 4625
+    | where AccountType == "User"
+    | summarize CountLast7day = count() by EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress
+) on EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress
+| where CountToday >= CountLast7day*threshold and CountToday >= countlimit
+| project EventID, Account, LogonTypeName, SubStatus, AccountType, Computer, WorkstationName, IpAddress, CountToday, CountLast7day, Avg7Day = CountLast7day/7

Detections/SecurityEvent/SecurityEventLogCleared.txt

@@ -0,0 +1,20 @@
+// Name: Security Event Log Cleared
+// Description: Checks for event id 1102 which indicates the security event log was cleared
+//
+// Id: 80da0a8f-cfe1-4cd0-a895-8bc1771a720e
+//
+// Severity: Low
+//
+// QueryFrequency: 1d
+//
+// QueryPeriod: 1d
+//
+// DataSource: #SecurityEvent
+//
+// Techniques: #Persistence, #DefenseEvasion
+//
+let timeframe = 1d;
+SecurityEvent
+| where TimeGenerated >= ago(timeframe)
+| where EventID == 1102
+| summarize count() by StartTimeUtc = TimeGenerated, Computer, Account, EventID, Activity 

Detections/SecurityEvent/UserCreatedAddedToBuiltinAdmins_1d.txt

@@ -0,0 +1,35 @@
+// Name: New User created and then added to builtin\administrators group
+// Description: User account was created and then added to the builtin Administrators group in the same day
+//
+// Id: aa1eff90-29d4-49dc-a3ea-b65199f516db
+//
+// Severity: Low
+//
+// QueryFrequency: 1d
+//
+// QueryPeriod: 1d
+//
+// DataSource: #SecurityEvent
+//
+// Techniques: #Persistence, #Discovery, #LateralMovement, #Collection
+//
+let timeframe = 1d;
+SecurityEvent
+| where TimeGenerated > ago(timeframe) 
+| where EventID == 4720
+| where AccountType == "User"
+| project CreatedUserTime = TimeGenerated, CreatedUserEventID = EventID, CreatedUserActivity = Activity, Computer = toupper(Computer), CreatedUser = tolower(TargetUserName), Domain = toupper(TargetDomainName), CreatedUserSid = TargetSid, AccountUsedToCreateUser = SubjectUserName
+|join (
+SecurityEvent 
+| where TimeGenerated > ago(timeframe) 
+| where AccountType == "User"
+// 4732 - A member was added to a security-enabled local group
+| where EventID == 4732
+//TargetSid is the builin Admins group: S-1-5-32-544
+| where TargetSid == "S-1-5-32-544"
+| project GroupAddTime = TimeGenerated, GroupAddEventID = EventID, GroupAddActivity = Activity, Computer = toupper(Computer), GroupName = TargetUserName, Domain = toupper(TargetDomainName), GroupSid = TargetSid, UserAdded = SubjectUserName, UserAddedSid = SubjectUserSid, CreatedUser = tolower(SubjectUserName)
+)
+on CreatedUser, Domain
+//Create User first, then the add to the group.
+| where CreatedUserTime > GroupAddTime
+| project Computer, CreatedUserTime, CreatedUserEventID, CreatedUserActivity, CreatedUser, CreatedUserSid, Domain, GroupAddTime, GroupAddEventID, GroupAddActivity, AccountUsedToCreateUser, GroupName, GroupSid, UserAdded, UserAddedSid 

Hunting Queries/SecurityEvent/UserAdd_RemToGroupByUnauthorizedUser.txt

@@ -0,0 +1,20 @@
+// Name: User account added or removed from a security group by an unauthorized user
+// Description: User account added or removed from a security group by an unauthorized user, pass in a list
+//
+// Id: d57f675c-ad6c-44d0-95fb-3bf707e70155
+//
+// DataSource: #SecurityEvent
+//
+// Techniques: #Persistence, #Discovery, #LateralMovement, #PrivilegeEscalation
+//
+// Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain
+let List = datatable(AuthorizedUser:string, Domain:string)["Bob", "Domain", "joe", "domain", "MATT", "DOMAIN"];
+let timeframe = 1d;
+SecurityEvent
+| where TimeGenerated >= ago(timeframe)
+| where EventID in (4728, 4729, 4732, 4733, 4746, 4747, 4751, 4752, 4756, 4757, 4761, 4762)
+| join kind= leftanti (
+    List
+    | project SubjectUserName = tolower(AuthorizedUser), SubjectDomainName = toupper(Domain)
+) on SubjectUserName, SubjectDomainName
+| project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity

Hunting Queries/SecurityEvent/UserCreatedByUnauthorizedUser.txt

@@ -0,0 +1,21 @@
+// Name: User created by unauthorized user
+// Description: User account created by an unauthorized user, pass in a list
+//
+// Id: 42ae9690-89ce-4063-9a90-465badad5395
+//
+// DataSource: #SecurityEvent
+//
+// Techniques: #Persistence, #Discovery, #LateralMovement, #PrivilegeEscalation
+//
+// Create DataTable with your own values, example below shows dummy usernames that are authorized and for what domain
+let List = datatable(AuthorizedUser:string, Domain:string)["Bob", "Domain", "joe", "domain", "MATT", "DOMAIN"];
+let timeframe = 1d;
+SecurityEvent
+| where TimeGenerated >= ago(timeframe)
+| where EventID == 4720
+| where AccountType == "User"
+| join kind= leftanti (
+    List
+    | project SubjectUserName = tolower(AuthorizedUser), SubjectDomainName = toupper(Domain)
+) on SubjectUserName, SubjectDomainName
+| project TimeGenerated, Computer, Account, SubjectUserName, SubjectDomainName, TargetAccount, EventID, Activity