34 строки
1.8 KiB
Plaintext
34 строки
1.8 KiB
Plaintext
// Query #1: Look for public IP addresses that failed to logon to a computer multiple times, using multiple accounts, and eventually succeeded.
|
|
DeviceLogonEvents
|
|
| where isnotempty(RemoteIP)
|
|
and AccountName !endswith "$"
|
|
and RemoteIPType == "Public"
|
|
| extend Account=strcat(AccountDomain, "\\", AccountName)
|
|
| summarize
|
|
Successful=countif(ActionType == "LogonSuccess"),
|
|
Failed = countif(ActionType == "LogonFailed"),
|
|
FailedAccountsCount = dcountif(Account, ActionType == "LogonFailed"),
|
|
SuccessfulAccountsCount = dcountif(Account, ActionType == "LogonSuccess"),
|
|
FailedAccounts = makeset(iff(ActionType == "LogonFailed", Account, ""), 5),
|
|
SuccessfulAccounts = makeset(iff(ActionType == "LogonSuccess", Account, ""), 5)
|
|
by DeviceName, RemoteIP, RemoteIPType
|
|
| where Failed > 10 and Successful > 0 and FailedAccountsCount > 2 and SuccessfulAccountsCount == 1
|
|
|
|
// Query #2: Look for machines failing to log-on to multiple machines or using multiple accounts
|
|
// Note - RemoteDeviceName is not available in all remote logon attempts
|
|
DeviceLogonEvents
|
|
| where isnotempty(RemoteDeviceName)
|
|
| extend Account=strcat(AccountDomain, "\\", AccountName)
|
|
| summarize
|
|
Successful=countif(ActionType == "LogonSuccess"),
|
|
Failed = countif(ActionType == "LogonFailed"),
|
|
FailedAccountsCount = dcountif(Account, ActionType == "LogonFailed"),
|
|
SuccessfulAccountsCount = dcountif(Account, ActionType == "LogonSuccess"),
|
|
FailedComputerCount = dcountif(DeviceName, ActionType == "LogonFailed"),
|
|
SuccessfulComputerCount = dcountif(DeviceName, ActionType == "LogonSuccess")
|
|
by RemoteDeviceName
|
|
| where
|
|
Successful > 0 and
|
|
((FailedComputerCount > 100 and FailedComputerCount > SuccessfulComputerCount) or
|
|
(FailedAccountsCount > 100 and FailedAccountsCount > SuccessfulAccountsCount))
|