21 строка
716 B
YAML
21 строка
716 B
YAML
id: d0f13bb9-e713-4f89-b610-1806326a1dea
|
|
name: Summary of user logons by logon type
|
|
description: |
|
|
'Comparing succesful and nonsuccessful logon attempts can be used to identify attempts to move laterally within the
|
|
environment with the intention of discovering credentials and sensitive data.'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- CredentialAccess
|
|
- LateralMovement
|
|
relevantTechniques:
|
|
- T1110
|
|
query: |
|
|
|
|
SecurityEvent
|
|
| where EventID in (4624, 4625)
|
|
| where AccountType == 'User'
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), Amount = count() by LogonTypeName
|
|
| extend timestamp = StartTimeUtc |