AADSuspectedBruteForce.yaml #3634
Conversation
Testing for Azure#3601
| relevantTechniques: | ||
| - T1110 | ||
| query: | | ||
| let authenticationWindow = 24h; |
There was a problem hiding this comment.
Remove this, we don't want timeframes embedded in queries when not needed as this breaks the hunting blade UX time slider features.
| let successCodes = dynamic(["0", "50125", "50140", "70043", "70044"]); | ||
| let aadFunc = (tableName:string){ | ||
| table(tableName) | ||
| | where TimeGenerated > ago(authenticationWindow) |
| let aadFunc = (tableName:string){ | ||
| table(tableName) | ||
| | where TimeGenerated > ago(authenticationWindow) | ||
| | extend Activities = pack("datetime", TimeGenerated,"ResultEventId", ResultType , "AppDisplayName", AppDisplayName, "ResultDescription", ResultDescription ,"IpAddress", IPAddress, "DeviceDetail", todynamic(DeviceDetail), "Status", todynamic(DeviceDetail), "Locationdetails", todynamic(LocationDetails)) |
There was a problem hiding this comment.
Doing this pack is highly intensive on a workspace with a large amount of data. We should summarize with these fields directly and then pack what you want after the summarize.
I would not pack IPAddress so this can be used as an Entity.
| | where TimeGenerated > ago(authenticationWindow) | ||
| | extend Activities = pack("datetime", TimeGenerated,"ResultEventId", ResultType , "AppDisplayName", AppDisplayName, "ResultDescription", ResultDescription ,"IpAddress", IPAddress, "DeviceDetail", todynamic(DeviceDetail), "Status", todynamic(DeviceDetail), "Locationdetails", todynamic(LocationDetails)) | ||
| | extend FailureOrSuccess = iff(ResultType in (successCodes), "Success", "Failure") | ||
| | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), SuccesEvents = make_list_if(Activities, ResultType in (successCodes)),FailureEvents = make_list_if(Activities, ResultType !in (successCodes)) , FailureCount = countif(FailureOrSuccess=="Failure"), SuccessCount = countif(FailureOrSuccess=="Success") by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, Type |
There was a problem hiding this comment.
bring thru ResourceId so it can be used as an entity.
There was a problem hiding this comment.
ResourceId is yet to be a common a column for both the tables. Please suggest if any other column is applicable.
| let aadSignin = aadFunc("SigninLogs"); | ||
| let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs"); | ||
| union isfuzzy=true aadSignin, aadNonInt | ||
| entityMappings: |
There was a problem hiding this comment.
Add IP and ResourceId mappings, this is not specifically supported in the UX yet, but it likely will be in the future and we want to make it easy for users to migrate to this to a detection for their specific environment if so desired.
There was a problem hiding this comment.
ResourceId is yet to be a common a column for both the tables. Please suggest if any other column is applicable.
Thank you for highlighting @cmaneiro, could not capture your last comments real time. |
|
Closing as dupe of #3601 |
Testing for #3601