Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/InsecureProtocols.json

2836 строки
134 KiB
JSON
Исходник Ответственный История

Этот файл содержит неоднозначные символы Юникода!

Этот файл содержит неоднозначные символы Юникода, которые могут быть перепутаны с другими в текущей локали. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы подсветить эти символы.

{
"version": "Notebook/1.0",
"items": [
{
"type": 1,
"content": {
"json": "## Insecure Protocols\n"
},
"name": "text - 2"
},
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "6b543dcb-ffbe-4fca-80d7-68d15257c377",
"version": "KqlParameterItem/1.0",
"name": "DefaultSubscription_Internal",
"type": 1,
"isRequired": true,
"query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
"crossComponentResources": [
"value::selected"
],
"isHiddenWhenLocked": true,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "959662e2-5c74-4876-b5c7-0aaeb2de2ca5",
"version": "KqlParameterItem/1.0",
"name": "Subscription",
"type": 6,
"query": "resources\r\n| summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
"crossComponentResources": [
"value::selected"
],
"typeSettings": {
"additionalResourceOptions": []
},
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "d0ab5058-af8c-4ea2-b4a4-8d836769d278",
"version": "KqlParameterItem/1.0",
"name": "Workspace",
"type": 5,
"query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| project id",
"crossComponentResources": [
"{Subscription}"
],
"value": null,
"typeSettings": {
"additionalResourceOptions": []
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources"
},
{
"id": "020de58b-73ca-47fe-838e-bc3ac7afaef6",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"type": 4,
"isRequired": true,
"value": {
"durationMs": 604800000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": true
}
},
{
"id": "39b2b987-3569-4bc8-96b4-85c43f1c275b",
"version": "KqlParameterItem/1.0",
"name": "Help",
"label": "Show Help",
"type": 10,
"description": "Toggle to show Help for each tab.",
"isRequired": true,
"typeSettings": {
"additionalResourceOptions": [],
"showDefault": false
},
"jsonData": "[\r\n { \"value\": \"Yes\", \"label\": \"Yes\"},\r\n {\"value\": \"No\", \"label\": \"No\", \"selected\":true },\r\n { \"value\": \"Change Log\", \"label\": \"Change Log\"}\r\n]\r\n"
}
],
"style": "above",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 7"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "d227db69-0ed6-4a0c-8b32-52d63b6abb97",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Summary",
"subTarget": "Summary",
"style": "link"
},
{
"id": "c98966ad-34ee-4d5e-a887-9d9016bbe936",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "LDAP",
"subTarget": "LDAP",
"preText": "LDAP",
"style": "link"
},
{
"id": "04f95974-97a2-43ac-a2b8-f82fd53b1569",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "NTLM",
"subTarget": "NTLM",
"style": "link"
},
{
"id": "c044c677-3a45-4d4c-941d-3f0e1e48f11c",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "SMB",
"subTarget": "SMB",
"style": "link"
},
{
"id": "337ad651-be31-42a7-8ff0-be12c2a4bc6c",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Kerberos",
"subTarget": "Kerberos",
"style": "link"
},
{
"id": "21019a79-11e5-48e4-97b6-19062f7901c1",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "WDigest",
"subTarget": "WDigest",
"style": "link"
},
{
"id": "da0803ba-fee6-4d54-9e66-b9b8611198b7",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "AAD Legacy Auth ",
"subTarget": "AADLegacy",
"style": "link"
},
{
"id": "da70784a-a74b-4272-9b79-2ee727f8081f",
"cellValue": "selectedTab",
"linkTarget": "parameter",
"linkLabel": "Vulnerable Secure Channel",
"subTarget": "NetlogonSC",
"style": "link"
}
]
},
"name": "links - 34"
},
{
"type": 1,
"content": {
"json": "### Change Log\r\nBrian Delaney, Clive Watson, Jon Shectman - Microsoft <br>\r\n\t\r\n\tVersion v2.0\r\n\tFiltered Legacy Authentication to success only\r\n\tAdded Export/Open Query buttons to detailed views\r\n\tReogranized Insecure LDAP\r\n\tFixed TimeRange in NTLM query to follow parameter selection\r\n\tOther minor improvements\r\n\r\n\tVersion v1.9\r\n\tUpdated AAD Legacy Auth (Exchange ActiveSync)\r\n\r\n\tVersion v1.8\r\n\tAdded Vulnerable Netlogon Secure Channel\r\n\tAdded Legacy Authentication to Summary\r\n\tFixed reporting of Weak Kerberos Cipher in summary\r\n\t\r\n\t\r\n\tVersion v1.7\r\n\tAdded Tabs\r\n\tFixed a bug\r\n\tAdded Timebrushing and Groupings\r\n\tAdded Help sections",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Change Log"
},
"customWidth": "30",
"name": "text - 24"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: Summary",
"items": [
{
"type": 1,
"content": {
"json": "### Welcome to Insecure Protocols Workbook\r\nThis workbook will help you audit and remove Insecure Protocols from your Active Directory and Azure Active Directory estates.<br>\r\nFor more information about this workbook (and for help with audit settings), navigate to [here](https://aka.ms/sentinelipsetup).<br>\r\nFor help as you navigate this workbook, toggle Show Help at the page top.",
"style": "info"
},
"customWidth": "70",
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 24 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
"size": 0,
"title": "Summary of Insecure Protocols: {TimeRange:label}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "series",
"exportParameterName": "SelectedProtocol",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "piechart",
"gridSettings": {
"sortBy": [
{
"itemKey": "Count",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "Count",
"sortOrder": 2
}
]
},
"customWidth": "40",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Summary"
},
"name": "IPbyTypePie"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| project Protocol, Count, TimeGenerated\r\n| union legacyAuth\r\n| where Protocol =~ \"{SelectedProtocol}\" or \"{SelectedProtocol}\" =~ \"All\"\r\n| sort by Count desc\r\n",
"size": 0,
"title": "Summary of Insecure Protocols: {TimeRange:label}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "barchart",
"gridSettings": {
"sortBy": [
{
"itemKey": "Count",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "Count",
"sortOrder": 2
}
]
},
"customWidth": "60",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Summary"
},
"name": "IPbyTypeandTimeBar"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nlet legacyAuth = SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by Protocol=\"AAD Legacy Auth\";\r\nSecurityEvent\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| union Event\r\n| where (EventID == 2889) or (EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit') or (EventID == 4624 and AuthenticationPackageName == 'NTLM' and LmPackageName == 'NTLM V1' and Account !contains 'ANONYMOUS LOGON') or ((EventID == 4624 or EventID == 4776) and Level == 8 and PackageName contains 'WDigest') or (EventID == 4768 or EventID == 4769) and Level == 8 and (TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\") or ((EventLog =~ \"System\" and Source =~ \"NETLOGON\") and EventID in (scEvents))\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by tostring(EventID)\r\n//| extend Protocol=replace(tostring(4776), 'WDigest', replace(tostring(4768), 'Kerberos weak cipher', replace(tostring(4769), 'Kerberos weak cipher', replace(tostring(2889), 'Insecure LDAP', replace(tostring(4624), 'NTLM v1', replace(tostring(3000), 'SMB v1', tostring(EventID)))))))\r\n| extend Protocol = case(EventID == 4776, \"WDigest\", EventID == 4768 or EventID == 4769, \"Weak Kerberos Cipher\", EventID == 2889, \"Insecure LDAP\", EventID == 4624, \"NTLM v1\", EventID == 3000, \"SMBv1\", EventID in (scEvents), \"Vulnerable Secure Channel\", \"Unknown\")\r\n| summarize FirstOccurance=min(FirstOccurance), LastOccurance=max(LastOccurance), Count=sum(Count) by Protocol\r\n| union legacyAuth\r\n| sort by Count desc\r\n",
"size": 1,
"title": "Summary of Insecure Protocols found in: {TimeRange:label}",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"sortBy": [],
"tileSettings": {
"showBorder": false
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "TableName",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"centerContent": {
"columnMatch": "Normal EventID",
"formatter": 1,
"formatOptions": {
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "excellent_ok",
"sourceIdField": "TableName",
"targetIdField": "excellent_ok",
"edgeLabel": "excellent_ok",
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": null,
"groupByField": "TableName",
"hivesMargin": 5
},
"chartSettings": {
"group": "Crucial EventID",
"createOtherGroup": null
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Summary"
},
"name": "SummaryByIP"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Summary"
},
"name": "group - Summary"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: Insecure LDAP",
"items": [
{
"type": 1,
"content": {
"json": "### LDAP Help File\r\n\r\n**Protocol Risk**\r\n\t* Clients are returning unsigned traffic, which is susceptible to replay or attacker-in-the-middle attacks.\r\n\t* This may result in nefarious activity, such as modified packets, in which a server or even a person makes decisions based on forged data.\r\n\t* The organization is exposing its highly-privileged authentication principals' credentials – such as the ones for those that belong to the Domain Admins group. With a simple network capture, an attacker can steal these credentials and achieve an escalation path or even a domain dominance type scenario. In the case of simple binds, the organization is exposing plaintext authentication credentials.\r\n\r\n**Auditing Settings**\r\n\t* Set auditing for 2889 on every DC - In the registry key “HKLM\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Diagnostics” set a DWORD with name \"16 LDAP Interface Events” to a value of “2\"\r\n\t* In Log Analytics/Sentinel, set log collection from the Directory Service log.\r\n\r\n**Mitigation Planning**\r\n\t* Work with application owners, vendors, and users to use LDAP over TLS (LDAPS://) – ports 636 and 3269.\r\n\t* Once there is no more 2889 insecure LDAP traffic, set the DCs to no longer accept it. GPO: Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options\r\n\t* If this is not possible, you can secure the entire exchange with IPSec. However, you will not be able to disallow insecure LDAP at the DCs; so using LDAPS is recommended.\r\n\r\n**Data Filters**\r\n\t* Account\r\n\t* Account timebrush\r\n\t* IP\r\n\t* IP timebrush",
"style": "info"
},
"customWidth": "100",
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend Title = \"Number of events\"\r\n | summarize QueryCount = count(EventID) by Title//, NumberOfIPs = dcount(IPAddress), NumberOfAccounts = dcount(Account)",
"size": 4,
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Title",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "QueryCount",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false
}
},
"customWidth": "20",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend Title = \"Number of Accounts\"\r\n | summarize QueryCount = dcount(Account) by Title//, NumberOfIPs = dcount(IPAddress), NumberOfAccounts = dcount(Account)",
"size": 4,
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Title",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "QueryCount",
"formatter": 12,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"showBorder": false
}
},
"customWidth": "20",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 10"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend Title = \"Number of IP Addresses\"\r\n | summarize QueryCount = dcount(IPAddress) by Title//, NumberOfIPs = dcount(IPAddress), NumberOfAccounts = dcount(Account)",
"size": 4,
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Title",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "QueryCount",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"showBorder": false
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 9 - Copy"
},
{
"type": 1,
"content": {
"json": "\r\n### By Account\r\n---"
},
"name": "text - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | summarize QueryCount = count(EventID) by Account, IPAddress\r\n | order by QueryCount\r\n",
"size": 0,
"title": "By Account - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Account",
"exportParameterName": "Account",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "QueryCount",
"formatter": 4,
"formatOptions": {
"min": 1,
"palette": "orange",
"showIcon": true
}
},
{
"columnMatch": "TimeGenerated",
"formatter": 4,
"formatOptions": {
"showIcon": true
}
}
],
"sortBy": [
{
"itemKey": "$gen_bar_QueryCount_2",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "Account"
},
{
"columnId": "IPAddress",
"label": "Source IP"
},
{
"columnId": "QueryCount",
"label": "Number of Insecure Binds"
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_QueryCount_2",
"sortOrder": 2
}
]
},
"customWidth": "20",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "LDAP by Account"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where Account == '{Account:escape}' or '{Account:escape}' == \"All\"\r\n | summarize count() by Account, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "Account events over time - select timebrush",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "LDAPTimebrushAccount",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart"
},
"customWidth": "30",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 11"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where Account == '{Account:escape}' or '{Account:escape}' == \"All\"\r\n | extend BindingType = case(BindingType==0,\"Unsigned\",BindingType==1,\"Simple\",\"Unknown\")\r\n | project Account, IPAddress, Computer, RenderedDescription, UserName, EventID, BindingType, Time_of_Bind=TimeAgo",
"size": 0,
"showAnalytics": true,
"title": "Account Details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "LDAPTimebrushAccount",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Account",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
},
{
"columnMatch": "RenderedDescription",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "UserName",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "EventID",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "Account"
},
{
"columnId": "IPAddress",
"label": "Source IP"
},
{
"columnId": "Computer",
"label": "Domain Controller"
},
{
"columnId": "Time_of_Bind",
"label": "Binding Time"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 7"
},
{
"type": 1,
"content": {
"json": "### By Source IP\r\n---"
},
"name": "text - 13"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Account '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | summarize QueryCount = count(EventID) by IPAddress, Account\r\n",
"size": 0,
"title": "By Source IP - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "IPAddress",
"exportParameterName": "IPAddress",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Account",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "QueryCount",
"formatter": 4,
"formatOptions": {
"min": 1,
"palette": "blueDark",
"showIcon": true,
"aggregation": "Sum"
}
},
{
"columnMatch": "Account Count",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "magenta",
"showIcon": true
}
},
{
"columnMatch": "ParentId",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Computer",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "LDAPClient",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
}
],
"sortBy": [
{
"itemKey": "$gen_bar_QueryCount_2",
"sortOrder": 2
}
],
"labelSettings": [
{
"columnId": "IPAddress",
"label": "Source IP"
},
{
"columnId": "Account"
},
{
"columnId": "QueryCount",
"label": "Number of Insedcure Binds"
}
]
},
"sortBy": [
{
"itemKey": "$gen_bar_QueryCount_2",
"sortOrder": 2
}
]
},
"customWidth": "20",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Accounts '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where IPAddress == '{IPAddress:escape}' or '{IPAddress:escape}' == \"All\"\r\n | summarize count() by IPAddress, bin(TimeGenerated, {TimeRange:grain})",
"size": 0,
"title": "IP addresses events over time - select timebrush",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "LDAPTimebrushIP",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart"
},
"customWidth": "30",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 12"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n | where EventID == 2889 \r\n | parse ParameterXml with * '><Param>' Accounts '</' *\r\n | parse ParameterXml with * '<Param>' IPAddress ':' * \r\n | parse kind = regex ParameterXml with * '</Param><Param>' * '</Param><Param>' BindingType '</Param>'\r\n | extend TimeFromNow = now() - TimeGenerated\r\n | extend TimeAgo = strcat(case(TimeFromNow < 2m, strcat(toint(TimeFromNow / 1m), ' seconds'), TimeFromNow < 2h, strcat(toint(TimeFromNow / 1m), ' minutes'), TimeFromNow < 2d, strcat(toint(TimeFromNow / 1h), ' hours'), strcat(toint(TimeFromNow / 1d), ' days')), ' ago')\r\n | where IPAddress == '{IPAddress:escape}' or '{IPAddress:escape}' == \"All\"\r\n | extend BindingType = case(BindingType==0,\"Unsigned\",BindingType==1,\"Simple\",\"Unknown\")\r\n | project IPAddress, Accounts, Computer, RenderedDescription, UserName, EventID, BindingType, Time_of_Bind=TimeAgo",
"size": 0,
"showAnalytics": true,
"title": "Source IP Details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "LDAPTimebrushIP",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "IPAddress",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
},
{
"columnMatch": "RenderedDescription",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "UserName",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "EventID",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
}
],
"filter": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "query - 8"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "LDAP"
},
"name": "group - LDAP"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: NTLMv1",
"items": [
{
"type": 1,
"content": {
"json": "### NTLM Help File\r\n\r\n**Protocol Risk**\r\n\t* It is far less complex for an attacker to anticipate the challenge length in NTLMv1, as it is always a 16-byte random number. NTLMv2, on the other hand, uses a challenge of variable length.\r\n\t* Recall also that NTLMv1 uses DES encryption, whereas NTLMv2 uses the stronger HMAC-MD5. As of now, its less likely that an attacker can successfully brute-force HMAC-MD5.\r\n\t* Also, because NTLMv1 is so much less secure, the only protocols that Windows Defender Credential Guard supports are Kerberos and NTLMv2. Youll have to address the sources of NTLMv1 before using Credential Guard.\r\n\r\n**Auditing Settings**\r\n\t* Set auditing for 4624 and 4625, and also for 4776 via Group Policy.\r\n\t\t* Windows Settings/Security Settings/Advanced Audit Configuration/Account Logon/Logon/Logoff/Audit Credential Validation with value of “Success, Failure.”\r\n\t\t* Windows Settings/Security Settings/Advanced Audit Configuration/(Logon/Logoff)/Audit Logoff with value of \"Success, Failure.\"\r\n\t\t* Windows Settings/Security Settings/Advanced Audit Configuration/(Logon/Logoff)/Audit Logon with value of \"Success, Failure.\"\r\n\r\n**Mitigation Planning**\r\n\t* Work with application owners and vendors to use a more secure protocol like Kerberos or NTLMv2.\r\n\t* Where unsupported operating systems, old applications or outdated appliances cannot use Kerberos or NTLMv2, work with decision makers to understand the risks to the organization.\r\n\t* Create a plan to remove the problem devices, applications and appliances from the network.\r\n\r\n**Data Filters**\r\n\t* Source and server\r\n\t* Timebrush\r\n\t* NTLM v1 event details by time",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent \r\n| where EventID == 4624 \r\n| where AuthenticationPackageName == 'NTLM' \r\n| where LmPackageName == 'NTLM V1' \r\n| where Account !contains 'ANONYMOUS LOGON' \r\n| summarize Count = count() by WorkstationName, Computer \r\n| project WorkstationName, Computer, Count\r\n| order by Count desc\r\n",
"size": 0,
"title": "NTLM v1 events, by Source and server - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "",
"exportParameterName": "WorkstationName",
"exportDefaultValue": "{\"WorkstationName\":\"All\"}",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "WorkstationName",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Computer",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true,
"aggregation": "Sum"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"WorkstationName"
]
},
"sortBy": [
{
"itemKey": "Computer",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "Computer",
"sortOrder": 2
}
],
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "WorkstationName",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "NTLM"
},
"name": "query - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent \r\n| where EventID == 4624 \r\n| where AuthenticationPackageName == 'NTLM' \r\n| where LmPackageName == 'NTLM V1' \r\n| where Account !contains 'ANONYMOUS LOGON' \r\n| where '{WorkstationName:escape}' contains \"All\" or '{WorkstationName:escape}' contains WorkstationName\r\n| summarize Count=count() by WorkstationName, Day=bin(TimeGenerated, {TimeRange:grain}) ",
"size": 0,
"title": "NTLM v1 events, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "NTLMTimebrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart"
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "NTLM"
},
"name": "query - 15"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent \r\n| where EventID == 4624 \r\n| where AuthenticationPackageName == 'NTLM' \r\n| where LmPackageName == 'NTLM V1' \r\n| where Account !contains 'ANONYMOUS LOGON' \r\n| where '{WorkstationName:escape}' contains \"All\" or ('{WorkstationName:escape}' contains WorkstationName and '{WorkstationName:escape}' contains Computer)\r\n| summarize Count = count() by Account, WorkstationName, DC=Computer, LogonProcessName, TargetDomainName, TargetAccount, IpAddress\r\n| sort by Count desc ",
"size": 0,
"showAnalytics": true,
"title": "NTLM v1 events details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "greenRed",
"showIcon": true
}
}
],
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "NTLM"
},
"name": "query - 16"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "NTLM"
},
"name": "Group - NTLM"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: SMBv1",
"items": [
{
"type": 1,
"content": {
"json": "### SMB Help File\r\n\r\n**Protocol Risk**\r\n\t* The security built into SMBv2 and SMBv3 is primarily around protecting against security downgrade attacks (Pre-authentication Integrity, Secure Dialect Negotiation) and attacker-in-the-middle attacks (Encryption, Insecure guest auth blocking). SMB1 simply doesnt know about or contain any of these protections.\r\n\t* If you have SMBv1 enabled on your file servers or domain controllers, then an attacker-in-the-middle can simply block SMB2/3 and force a downgrade attack. The net effect here will be that your computer(s) will gracefully flip over to SMBv1, thereby exposing the exchanges data.\r\n\t* SMBv1 continues to be a primary component in destructive ransomware attacks.\r\n\r\n**Auditing Settings**\r\n\t* On the servers that you will audit, run the following Powershell command to enable auditing: Set-SmbServerConfiguration –AuditSmb1Access $true\r\n\t* Note that this auditing is only supported on Sever 2016/Windows 10 and Server 2012 R2/Windcows 8.1 via an update.\r\n\t* Finally, in the Log Analytics configuration, you will need to set “Collect events from the following event logs” to Microsoft-Windows-SMBServer/Audit and set the log type to INFORMATION.\"\r\n\r\n**Mitigation Planning**\r\n\t* Work with application owners and vendors to use a more secure SMB version, such as SMBv2 or SMBv3.\r\n\t* Once there is no more SMBv1, set the DCs to no longer accept it. Registry key: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters\r\n\tSet this to a value SMB1 REG_DWORD: 0 = Disabled.\r\n\r\n**Data Filters**\r\n\t* Events by client \r\n\t* Server timebrush\r\n\t* Events by server",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = Event\r\n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit' \r\n| parse ParameterXml with * '<Param>' ClientAddress '</' * \r\n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress))));\r\ndata\r\n| summarize Count = count() by Client\r\n| join kind = fullouter (datatable(Client:string)['Medium', 'high', 'low']) on Client\r\n| project Client = iff(Client == '', Client1, Client), Count = iff(Client == '', 0, Count)\r\n| join kind = inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by Client)\r\n on Client\r\n| project-away Client1, TimeGenerated\r\n| extend Clients = Client\r\n| union (\r\n data \r\n | summarize Count = count() \r\n | extend jkey = 1\r\n | join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain}\r\n | extend jkey = 1) on jkey\r\n | extend Client = 'All', Clients = '*' \r\n)\r\n| order by Count desc\r\n| take 10\r\n",
"size": 4,
"title": "SMB v1 events, by client - click to filter",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Client",
"exportParameterName": "ClientFilter",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Client",
"formatter": 1,
"formatOptions": {
"showIcon": true
}
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto",
"showIcon": true
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"secondaryContent": {
"columnMatch": "Trend",
"formatter": 9,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true
}
},
"showBorder": false
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "SMB"
},
"name": "query - 18"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event\r\n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit'\r\n| parse ParameterXml with * '<Param>' ClientAddress '</' *\r\n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress))))\r\n| where Client == '{ClientFilter}' or '{ClientFilter}' == \"All\"\r\n| summarize Count=count() by Client, SMBServer=Computer, ParameterXml, RenderedDescription, EventData\r\n| sort by Count desc",
"size": 1,
"showAnalytics": true,
"title": "SMB v1 event details, by client",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "barchart",
"gridSettings": {
"formatters": [
{
"columnMatch": "Client",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
},
{
"columnMatch": "SMBServer",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "ParameterXml",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "RenderedDescription",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "EventData",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "greenBlue",
"showIcon": true,
"aggregation": "Sum"
}
},
{
"columnMatch": "$gen_group",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
}
],
"filter": true,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Client"
]
}
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "SMB"
},
"name": "query - 20"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event \r\n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit' \r\n| parse ParameterXml with * '<Param>' ClientAddress '</' * \r\n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress)))) \r\n| where Client == '{ClientFilter}' or '{ClientFilter}' == \"All\"\r\n| summarize Count=count() by bin(TimeGenerated, 1h) , SMBServer=Computer \r\n\r\n",
"size": 0,
"title": "SMB v1 events, by time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "SMBtimebrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "timechart"
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "SMB"
},
"name": "query - 19"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "Event\r\n| where EventID == 3000 and EventLog == 'Microsoft-Windows-SMBServer/Audit'\r\n| parse ParameterXml with * '<Param>' ClientAddress '</' *\r\n| extend Client = replace(@'>', @'', replace(@'\\]', @'', replace(@'\\[', @'', replace(@'<!\\[CDATA', @'', ClientAddress))))\r\n| where Client == '{ClientFilter}' or '{ClientFilter}' == \"All\"\r\n| summarize Count=count() by Client, SMBServer=Computer, ParameterXml, RenderedDescription, EventData\r\n| sort by Count desc",
"size": 0,
"showAnalytics": true,
"title": "SMBv1 events, by server",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Client",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
},
{
"columnMatch": "SMBServer",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "ParameterXml",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "RenderedDescription",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "EventData",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "greenBlue",
"showIcon": true,
"aggregation": "Sum"
}
},
{
"columnMatch": "$gen_group",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true,
"showIcon": true
}
}
],
"filter": true,
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"Client"
]
}
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "SMB"
},
"name": "query - 20 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "SMB"
},
"name": "group - SMBv1"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: Kerberos Ciphers",
"items": [
{
"type": 1,
"content": {
"json": "### Kerberos Help File\r\n\r\n**Protocol Risk**\r\n\t\r\n\tWhen weak cipher suites are permitted for the Kerberos protocol, attackers can leverage encryption downgrades to their advantage and make the protocol easier to compromise.\r\n\tPossible encryption types:\r\n\t* DES_CBC_CRC | Weak\r\n\t* DES_CBC_MD5 | Weak\r\n\t* RC4_HMAC_MD5 | Moderate\r\n\t* AES128_HMAC_SHA1 | Strong\r\n\t* AES256_HMAC_SHA1 | Strong\r\n\t\r\n\tStarting in Windows Server 2008 / Windows Vista, AES encryption has been available for the Kerberos protocol. At present, all supported versions of Windows have DES encryption for Kerberos disabled by default. While DES can be enabled for backward compatibility, doing so will open up an attack vector.\r\n\r\n**Auditing Settings**\r\n\t\r\n\tUnder Account Logon, set the following audit settings to Success, Failure\r\n\t\t* Audit Kerberos Authentication Service\r\n\t\t* Audit Kerberos Service Ticket Operations\r\n\tUnder Logon/Logoff set the following settings to Success, Failure\r\n\t\t* Audit Logon\r\n\r\n**Mitigation Planning**\r\n\t* Weak Kerberos Ciphers can be caused by downlevel Operating Systems (Client or Server), Account Configuration issues, Trust Configuration Issues or 3rd party OS/Software configuration.\r\n\t* Look for patterns in the data that will help identify the cause of the weak cipher, such as accessing a common service, or a common set of workstations.\r\n\t* Once identified, work with the OS/Account/Trust owners to remediate the requirement for the weak cipher.\r\n\t* When the weak ciphers have been eliminated from the environment, disable them across your Windows Computers in the policy Computer Configuration\\Windows Settings\\Security Setting\\Local Policies\\Security Options\\Network security: Configure encryption types allowed for Kerberos.\r\n\r\n**Data Filters**\r\n\t* Timebrush\r\n\t* Weak ciphers event details\r\n\t* Weak ciphers event details by account\r\n\r\n** References **\r\n- [Network security: Configure encryption types allowed for Kerberos](https://docs.microsoft.com/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos)\r\n- [Advanced Security Audit Policy Settings](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn319056%28v=ws.11%29)\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 4",
"styleSettings": {
"margin": "5"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| summarize Count=count() by Cipher\r\n",
"size": 0,
"title": "Kerberos weak ciphers - click to filter",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Cipher",
"exportParameterName": "CipherParameter",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"min": 1,
"palette": "blue"
}
}
]
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Cipher",
"formatter": 1
},
"centerContent": {
"columnMatch": "Count",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Kerberos"
},
"name": "query - 22 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| where Cipher == '{CipherParameter}' or '{CipherParameter}' == \"All\"\r\n| summarize Count=count() by Cipher, IpAddress, TargetUserName , ServiceName, Computer, Activity\r\n| sort by Count desc\r\n",
"size": 0,
"title": "Kerberos weak ciphers event details - filtered by cipher",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "TargetUserName",
"exportParameterName": "targetUserNameKerberosParameter",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Cipher",
"formatter": 5,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "IpAddress",
"formatter": 5
},
{
"columnMatch": "ServiceName",
"formatter": 5
},
{
"columnMatch": "Computer",
"formatter": 5
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "greenRed"
}
}
],
"filter": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Kerberos"
},
"name": "query - 23 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| summarize Count=count() by Cipher, bin(TimeGenerated, 1h)\r\n",
"size": 0,
"title": "Kerberos weak ciphers - select to timebrush",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "KeberosTimeBrush",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart"
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Kerberos"
},
"name": "query - 22"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| summarize Count=count() by Cipher, IpAddress, TargetUserName , ServiceName, Computer, Activity\r\n| sort by Count desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Kerberos weak ciphers event details: {KeberosTimeBrush:label} - select TargetUserName for details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "KeberosTimeBrush",
"exportFieldName": "TargetUserName",
"exportParameterName": "targetUserNameKerberosParameter",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Cipher",
"formatter": 5,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "IpAddress",
"formatter": 5
},
{
"columnMatch": "ServiceName",
"formatter": 5
},
{
"columnMatch": "Computer",
"formatter": 5
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "greenRed"
}
}
],
"filter": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Kerberos"
},
"name": "query - 23"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| extend IpAddress = tostring(split(IpAddress,\"f:\").[1])\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n//| where TargetUserName in ('{targetUserNameKerberosParameter}')\r\n| where TargetUserName == '{targetUserNameKerberosParameter:escape}' or '{targetUserNameKerberosParameter:escape}' == \"All\"\r\n| summarize OldestRecord = min(TimeGenerated), NewestRecord = max(TimeGenerated), Count=count() by TargetUserName, Cipher, IpAddress , ServiceName, Computer, Activity\r\n| sort by Count desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Kerberos weak ciphers event details: {targetUserNameKerberosParameter}, {KeberosTimeBrush:label}",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "KeberosTimeBrush",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Cipher",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "EventData",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "greenRed"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "TargetUserName"
},
{
"columnId": "Cipher"
},
{
"columnId": "IpAddress"
},
{
"columnId": "ServiceName"
},
{
"columnId": "Computer"
}
]
},
"sortBy": []
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Kerberos"
},
"name": "query - 23 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SecurityEvent\r\n| where EventID == 4768 or EventID == 4769\r\n| where Level == 8\r\n| parse EventData with * '\"TicketEncryptionType\">' TicketEncryptionType '<' *\r\n| where TicketEncryptionType != \"0x12\" and TicketEncryptionType != \"0x11\" //AES128/256, this filter needs to be activated\r\n| parse EventData with * '\"IpAddress\">' IpAddress '<' *\r\n| extend IpAddress = tostring(split(IpAddress,\"f:\").[1])\r\n| parse EventData with * '\"TargetUserName\">' TargetUserName '<' *\r\n| parse EventData with * '\"ServiceName\">' ServiceName '<' *\r\n| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))\r\n| summarize OldestRecord = min(TimeGenerated), NewestRecord = max(TimeGenerated), Count=count() by TargetUserName, Cipher, IpAddress , ServiceName, Computer, Activity\r\n| sort by Count desc\r\n",
"size": 0,
"showAnalytics": true,
"title": "Kerberos weak ciphers event details unfiltered",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Cipher",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "EventData",
"formatter": 7,
"formatOptions": {
"linkTarget": "GenericDetails",
"linkIsContextBlade": true
}
},
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "greenRed"
}
}
],
"filter": true,
"labelSettings": [
{
"columnId": "TargetUserName"
},
{
"columnId": "Cipher"
},
{
"columnId": "IpAddress"
},
{
"columnId": "ServiceName"
},
{
"columnId": "Computer"
}
]
},
"sortBy": []
},
"conditionalVisibilities": [
{
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Kerberos"
},
{
"parameterName": "targetUserNameKerberosParameter",
"comparison": "isNotEqualTo"
}
],
"name": "query - 23 - Copy - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "Kerberos"
},
"name": "Group - Kerberos"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: WDigest",
"items": [
{
"type": 1,
"content": {
"json": "### WDigest Help File\r\n\r\n**Protocol Risk**\r\n\t* WDigest is a deprecated protocol. It injects plain-text passwords into memory.\r\n\t* Attackers can simply read the plaintext passwords using commodity tools.\r\n\t* Also, because WDigest is so much less secure, it is not supported in Windows Defender Credential Guard. Youll have to address the sources of WDigest before using Credential Guard.\r\n\r\n**Auditing Settings**\r\n\t* Set auditing for 4776 (non-Kerberos logon) – Windows Settings/Security Settings/Advanced Audit Configuration/Account Logon/ Logon/Logoff/Audit Credential Validation with value of “Success, Failure.”\r\n\r\n**Mitigation Planning**\r\n\t* Work with application owners and vendors to use a more secure protocol like NTLMv2 or Kerberos.\r\n\t* Once there is no more Digest, set the DCs to no longer accept it. Registry (may be done via GP Preferences): HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\ “UseLogonCredential\r\n\t* Set this to a value of 0. A restart is required.\r\n\r\n**Data Filters**\r\n\t* Account workstation\r\n\t* Workstation over time\r\n\t* Account timebrush\r\n",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = SecurityEvent \r\n| where EventID == 4624 or EventID == 4776 \r\n| where Level == 8 \r\n| where PackageName contains 'WDigest';\r\nlet appData = data\r\n| summarize TotalCount = count() by TargetAccount\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by TargetAccount\r\n | project-away TimeGenerated) on TargetAccount\r\n| order by TotalCount desc, TargetAccount asc\r\n| project TargetAccount, TotalCount, Trend\r\n| serialize Id = row_number();\r\ndata\r\n| summarize TotalCount = count() by Workstation , TargetAccount\r\n| join kind=inner (data\r\n | make-series Trend = count() default = 0 on TimeGenerated in range({TimeRange:start}, {TimeRange:end}, {TimeRange:grain}) by TargetAccount, Workstation\r\n | project-away TimeGenerated) on TargetAccount, Workstation\r\n| order by TotalCount desc, TargetAccount asc\r\n| project TargetAccount, Workstation, TotalCount, Trend\r\n| serialize Id = row_number(1000000)\r\n| join kind=inner (appData) on TargetAccount\r\n| project Id, Name = Workstation, Type = 'Workstation', ['TargetAccounts Count'] = TotalCount, Trend, ParentId = Id1\r\n| union (appData \r\n | project Id, Name = TargetAccount, Type = 'TargetAccount', ['TargetAccounts Count'] = TotalCount, Trend)\r\n| order by ['TargetAccounts Count'] desc, Name asc\r\n",
"size": 0,
"title": "WDigest, by account workstation - click to filter",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportParameterName": "WDigest",
"exportDefaultValue": "{ \"Name\":\"\", \"Type\":\"*\"}",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Id",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "TargetAccounts Count",
"formatter": 8,
"formatOptions": {
"min": 0,
"palette": "blue",
"showIcon": true
}
},
{
"columnMatch": "Trend",
"formatter": 10,
"formatOptions": {
"min": 0,
"palette": "orange",
"showIcon": true
}
},
{
"columnMatch": "ParentId",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
}
],
"hierarchySettings": {
"idColumn": "Id",
"parentColumn": "ParentId",
"treeType": 0,
"expanderColumn": "Name"
}
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Name",
"formatter": 1
},
"centerContent": {
"columnMatch": "Id",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WDigest"
},
"name": "query - 25"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let details = dynamic({WDigest});\r\nSecurityEvent \r\n| where EventID == 4624 or EventID == 4776 \r\n| where Level == 8 \r\n| where PackageName contains 'WDigest' \r\n| where (details.Type == 'Workstation' and details.Name == Workstation) or (details.Type == 'TargetAccount' and details.Name == TargetAccount) or (details.Type == '*')\r\n| summarize Count=count() by Workstation, bin(TimeGenerated, 1h)",
"size": 0,
"title": "WDigest Workstation over Time",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "wDigestTimeBrushAccount",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "areachart"
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WDigest"
},
"name": "query - 26"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let details = dynamic({WDigest});\r\nSecurityEvent\r\n| where EventID == 4624 or EventID == 4776\r\n| where Level == 8\r\n| where PackageName contains 'WDigest'\r\n| where (details.Type == 'Workstation' and details.Name == Workstation) or (details.Type == 'TargetAccount' and details.Name == TargetAccount) or (details.Type == '*')\r\n| summarize Count=count() by TargetAccount, Workstation, WDigestServer=Computer , Activity\r\n| sort by Count desc",
"size": 0,
"showAnalytics": true,
"title": "WDigest Account over time {{wDigestTimeBrushAccount:label})",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "wDigestTimeBrushAccount",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "coldHot",
"showIcon": true
}
}
],
"filter": true
}
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WDigest"
},
"name": "query - 27"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "WDigest"
},
"name": "WDigest"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: AAD Legacy Auth",
"items": [
{
"type": 1,
"content": {
"json": "### AAD Legacy Auth Help File\r\n\r\n**Protocol Risk**\r\n\t* Legacy authentication protocols like POP, SMTP, IMAP, and MAPI can't enforce MFA, making them preferred entry points for adversaries attacking your organization.\r\n\t* The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:\r\n\t\t* More than 99 percent of password spray attacks use legacy authentication protocols\r\n\t\t* More than 97 percent of credential stuffing attacks use legacy authentication\r\n\t\t* Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled\r\n\r\n**Legacy Authentication Protocols**\r\nThe following options are considered legacy authentication protocols\r\n\t* Authenticated SMTP - Used by POP and IMAP client's to send email messages.\r\n\t* Autodiscover - Used by Outlook and EAS clients to find and connect to mailboxes in Exchange Online.\r\n\t* Exchange ActiveSync (EAS) - Used to connect to mailboxes in Exchange Online.\r\n\t* Exchange Online PowerShell - Used to connect to Exchange Online with remote PowerShell. If you block Basic authentication for Exchange Online PowerShell, you need to use the Exchange Online PowerShell Module to connect. For instructions, see Connect to Exchange Online PowerShell using multi-factor authentication.\r\n\t* Exchange Web Services (EWS) - A programming interface that's used by Outlook, Outlook for Mac, and third-party apps.\r\n\t* IMAP4 - Used by IMAP email clients.\r\n\t* MAPI over HTTP (MAPI/HTTP) - Used by Outlook 2010 and later.\r\n\t* Offline Address Book (OAB) - A copy of address list collections that are downloaded and used by Outlook.\r\n\t* Outlook Anywhere (RPC over HTTP) - Used by Outlook 2016 and earlier.\r\n\t* Outlook Service - Used by the Mail and Calendar app for Windows 10.\r\n\t* POP3 - Used by POP email clients.\r\n\t* Reporting Web Services - Used to retrieve report data in Exchange Online.\r\n\t* Other clients - Other protocols identified as utilizing legacy authentication.\r\n\r\n**Mitigation Planning**\r\n\t* Before you can block legacy authentication in your directory, you need to first understand if your users have apps that use legacy authentication and how it affects your overall directory.\r\n\t* Azure AD supports several of the most widely used authentication and authorization protocols including legacy authentication. Legacy authentication refers to protocols that use basic authentication. Typically, these protocols can't enforce any type of second factor authentication. * Examples for apps that are based on legacy authentication are:\r\n\t\t* Older Microsoft Office apps\r\n\t\t* Apps using mail protocols like POP, IMAP, and SMTP\r\n\t\t* Single factor authentication (for example, username and password) is not enough these days.\r\n\t\t* Passwords are bad as they are easy to guess and we (humans) are bad at choosing good passwords. Passwords are also vulnerable to a variety of attacks like phishing and password spray. One of the easiest things you can do to protect against password threats is to implement MFA. With MFA, even if an attacker gets in possession of a user's password, the password alone is not sufficient to successfully authenticate and access the data.\r\n\r\n\tHow can you prevent apps using legacy authentication from accessing your tenant's resources? The recommendation is to just block them with a Conditional Access policy. If necessary, you allow only certain users and specific network locations to use apps that are based on legacy authentication.\r\n\r\n**Data Filters**\r\n\t* Account\r\n\t* IP address\r\n\t* Account timebrush\r\n\t* IP timebrush\r\n\t* Auth type\r\n\t* Country/region\r\n\t* Full details\r\n\r\n** References **\r\n- [How to: Block legacy authentication to Azure AD with Conditional Access](https://docs.microsoft.com/azure/active-directory/conditional-access/block-legacy-authentication#:~:text=To%20give%20your%20users%20easy%20access%20to%20your,environments%20a%20common%20requirement%20to%20address%20identity%20theft)",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 9"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by UserPrincipalName, ClientAppUsed //doughnut\r\n| order by Count desc",
"size": 0,
"title": "Legacy authentications, by account",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "UserPrincipalName",
"exportParameterName": "UserPrincipalName",
"exportDefaultValue": "All",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 1,
"palette": "blue"
}
}
],
"filter": true
},
"sortBy": []
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "query - 29"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by IPAddress,ClientAppUsed //doughnut\r\n| order by Count desc",
"size": 0,
"title": "Legacy authentications, by IP address",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 1,
"palette": "orange"
}
}
],
"filter": true
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "query - 30"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by UserPrincipalName, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
"size": 1,
"title": "Account events over time - select timebrush",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "AADTimebrushAccount",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "CountryOrRegion",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ClientAppUsed",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true,
"aggregation": "Sum"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"CountryOrRegion"
]
},
"labelSettings": [
{
"columnId": "CountryOrRegion"
},
{
"columnId": "ClientAppUsed"
},
{
"columnId": "count_",
"label": "Count"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "query - 31 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where TimeGenerated between ({AADTimebrushAccount:start}..({AADTimebrushAccount:end}+{AADTimebrushAccount:grain}))\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by UserPrincipalName, ClientAppUsed\r\n",
"size": 1,
"title": "Account events over time ({AADTimebrushAccount:label})",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
}
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "query - 26"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by IPAddress, bin(TimeGenerated, {TimeRange:grain})\r\n| order by count_\r\n",
"size": 1,
"title": "IPAddresses over time - select timebrush",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"timeBrushParameterName": "AADTimebrushIPAddress",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "linechart",
"gridSettings": {
"formatters": [
{
"columnMatch": "CountryOrRegion",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ClientAppUsed",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true,
"aggregation": "Sum"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"CountryOrRegion"
]
},
"labelSettings": [
{
"columnId": "CountryOrRegion"
},
{
"columnId": "ClientAppUsed"
},
{
"columnId": "count_",
"label": "Count"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "IP Timebrush"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where TimeGenerated between ({AADTimebrushAccount:start}..({AADTimebrushAccount:end}+{AADTimebrushAccount:grain}))\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize Count=count() by IPAddress, ClientAppUsed\r\n| order by Count\r\n",
"size": 1,
"title": "IP events over time ({AADTimebrushIPAddress:label})",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "blue",
"aggregation": "Sum"
}
}
],
"sortBy": [
{
"itemKey": "IPAddress",
"sortOrder": 2
}
]
},
"sortBy": [
{
"itemKey": "IPAddress",
"sortOrder": 2
}
]
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "query - 26 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by ClientAppUsed, UserPrincipalName //bar",
"size": 0,
"title": "Legacy authentications, by authentication type",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "ClientAppUsed",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "UserPrincipalName",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "gray",
"showIcon": true,
"aggregation": "Sum"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"ClientAppUsed"
]
},
"labelSettings": [
{
"columnId": "ClientAppUsed"
},
{
"columnId": "UserPrincipalName"
},
{
"columnId": "count_",
"label": "Count"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "query - 32"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| summarize count() by tostring(CountryOrRegion=LocationDetails.countryOrRegion), ClientAppUsed //bar\r\n| order by count_\r\n",
"size": 0,
"title": "Legacy authentications, by country/region",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "CountryOrRegion",
"formatter": 5,
"formatOptions": {
"showIcon": true
}
},
{
"columnMatch": "ClientAppUsed",
"formatter": 0,
"formatOptions": {
"showIcon": true,
"aggregation": "Unique"
}
},
{
"columnMatch": "count_",
"formatter": 4,
"formatOptions": {
"min": 0,
"palette": "purple",
"showIcon": true,
"aggregation": "Sum"
}
}
],
"hierarchySettings": {
"treeType": 1,
"groupBy": [
"CountryOrRegion"
]
},
"labelSettings": [
{
"columnId": "CountryOrRegion"
},
{
"columnId": "ClientAppUsed"
},
{
"columnId": "count_",
"label": "Count"
}
]
}
},
"customWidth": "50",
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "query - 31"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "SigninLogs\r\n| where ResultType == 0\r\n| where ClientAppUsed !contains \"Browser\" and ClientAppUsed !contains \"Mobile Apps and Desktop clients\"\r\n| extend mergeCountry = toupper(LocationDetails.countryOrRegion)\r\n| summarize IPaddress = make_set(IPAddress), Count=count() by UserPrincipalName, ClientAppUsed, tostring(CountryOrRegion=mergeCountry) //table\r\n| order by Count desc",
"size": 0,
"showAnalytics": true,
"title": "Legacy authentications details",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 8,
"formatOptions": {
"palette": "coldHot"
}
}
],
"filter": true
},
"sortBy": []
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "query - 33"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "AADLegacy"
},
"name": "group - AAD"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"title": "Group: Vulnerable Secure Channel",
"items": [
{
"type": 1,
"content": {
"json": "### Vulnerable Netlogon Secure Channel Help\r\n\r\n**Protocol Risk**\r\n\t* An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller\r\n\t* An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network\r\n\r\n**Auditing Settings**\r\n\t* Apply relevant update from CVE-2020-1472 to enable logging\r\n\t* In Log Analytics/Sentinel, set log collection to include Warning and Errors from the System Event log\r\n\r\n**Mitigation Planning**\r\n\t* Review All Connections with an Insecure Netlogon Secure Channel\r\n\t* Enforcement Mode is scheduled to be enabled on February 9, 2021\r\n\t* Prior to Enforcement Mode enablement, ensure that all Netlogon clients are upgraded\r\n\t* If upgrade is not possible at this time, grant an exemption in the Group Policy: Domain controller: Allow vulnerable Netlogon secure channel connections\r\n\t* To enter Enforcement Mode ahead of schedule, configure the REG_DWORD FullSecureChannelProtection in key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Netlogon\\Parameters to a value of 1\r\n\r\n**Data Filters**\r\n\t* Machine\r\n\t* ClientIP\r\n\t* Status\r\n\r\n** References **\r\n- [How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472](https://support.microsoft.com/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc)",
"style": "info"
},
"conditionalVisibility": {
"parameterName": "Help",
"comparison": "isEqualTo",
"value": "Yes"
},
"name": "text - 9 - Copy"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| summarize Count=count() by Status\r\n| sort by Count desc",
"size": 4,
"title": "Secure Channel Status - click to filter",
"timeContext": {
"durationMs": 604800000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Status",
"exportParameterName": "Status",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"showBorder": false,
"titleContent": {
"columnMatch": "Status",
"formatter": 1
},
"leftContent": {
"columnMatch": "Count",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5828, 5829, 5830, 5831]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| summarize Count=count() by bin(TimeGenerated, {TimeRange:grain}), Status",
"size": 1,
"title": "Secure Channel by Time",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart"
},
"customWidth": "50",
"name": "query - 8"
},
{
"type": 1,
"content": {
"json": "### Machine Accounts \r\n---"
},
"name": "text - 5"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5829, 5830]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" Machine \"</P\" * \"<Param>\" Domain \"</P\" * \"<Param>\" AccountType \"</P\" * \"<Param>\" OperatingSystem \"</P\" *\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize Count=count() by Machine, Status\r\n| order by Count desc",
"size": 0,
"title": "By Machine - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "Machine",
"exportParameterName": "Machine",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"visualization": "table",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"min": 1,
"palette": "orange"
}
}
]
},
"sortBy": []
},
"customWidth": "30",
"name": "By Machine"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5827, 5829, 5830]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" Machine \"</P\" * \"<Param>\" Domain \"</P\" * \"<Param>\" AccountType \"</P\" * \"<Param>\" OperatingSystem \"</P\" *\r\n| where Machine =~ \"{Machine}\" or \"{Machine}\" =~ \"All\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by DomainController=Computer, Machine, Domain, AccountType, OperatingSystem, EventID, Status\r\n",
"size": 0,
"showAnalytics": true,
"title": "Machine Account Connections",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
]
},
"customWidth": "70",
"name": "query - 0"
},
{
"type": 1,
"content": {
"json": "### Trust Accounts\r\n---"
},
"name": "text - 6"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5828, 5831]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" AccountType \"</P\" * \"<Param>\" TrustName \"</P\" * \"<Param>\" TrustTarget \"</P\" * \"<Param>\" ClientIP \"</P\" *\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize Count=count() by ClientIP, Status\r\n| order by Count desc",
"size": 0,
"title": "By Trust Account - click to filter",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "ClientIP",
"exportParameterName": "ClientIP",
"exportDefaultValue": "All",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "Count",
"formatter": 4,
"formatOptions": {
"min": 1,
"palette": "orange"
}
}
]
}
},
"customWidth": "30",
"name": "query - 7"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let scEvents = dynamic([5828, 5831]);\r\nEvent\r\n| where EventID in (scEvents)\r\n| where EventLog =~ \"System\" and Source =~ \"NETLOGON\"\r\n| parse ParameterXml with \"<Param>\" AccountType \"</P\" * \"<Param>\" TrustName \"</P\" * \"<Param>\" TrustTarget \"</P\" * \"<Param>\" ClientIP \"</P\" *\r\n| where ClientIP =~ \"{ClientIP}\" or \"{ClientIP}\" =~ \"All\"\r\n| extend Status = case(EventID == 5827 or EventID == 5828, \"Connection Denied\", EventID == 5829, \"Connection Allowed - Enforcement Mode Off\", EventID == 5830 or EventID == 5831, \"Connection Allowed - Policy\", \"Unknown\")\r\n| where Status =~ \"{Status}\" or \"{Status}\" =~ \"All\"\r\n| summarize FirstOccurance=min(TimeGenerated), LastOccurance=max(TimeGenerated), Count=count() by DomainController=Computer, AccountType, TrustName, TrustTarget, ClientIP, EventID, Status",
"size": 0,
"showAnalytics": true,
"title": "Trust Account Connections",
"timeContext": {
"durationMs": 0
},
"timeContextFromParameter": "TimeRange",
"showExportToExcel": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"crossComponentResources": [
"{Workspace}"
],
"gridSettings": {
"sortBy": [
{
"itemKey": "ClientIP",
"sortOrder": 1
}
]
},
"sortBy": [
{
"itemKey": "ClientIP",
"sortOrder": 1
}
]
},
"customWidth": "70",
"name": "query - 0 - Copy"
}
]
},
"conditionalVisibility": {
"parameterName": "selectedTab",
"comparison": "isEqualTo",
"value": "NetlogonSC"
},
"name": "NetlogonSC"
}
],
"fromTemplateId": "sentinel-InsecureProtocols",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку