This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let DC = DeviceNetworkEvents | |
| where LocalPort == "88" | |
| distinct DeviceId | |
| extend Type = "DomainController" | |
; | |
let SVR = DeviceInfo | |
| where OSPlatform in ("WindowsServer2008R2","WindowsServer2019","WindowsServer2016","WindowsServer2012R2") and RegistryDeviceTag !contains "Domain Controllers" | |
| distinct DeviceId | |
| extend Type = "Server" | |
; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
emet_agent.exe | |
emet_service.exe | |
firesvc.exe | |
firetray.exe | |
hipsvc.exe | |
mfevtps.exe | |
mcafeefire.exe | |
scan32.exe | |
shstat.exe | |
tbmon.exe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let Lookback_Long = ago(14d); | |
let Lookback_Short = ago(1h); | |
let AllSignins = | |
SigninLogs | |
| where TimeGenerated > Lookback_Long | |
| where ResultType == "0" | |
; | |
let Signins = | |
AllSignins | |
| summarize FirstSeen = min(TimeGenerated), LastObserved = max(TimeGenerated), Count = count() by IPAddress, UserPrincipalName, Location |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let Lookback = ago(90d); | |
let RuleTypes = dynamic([ "ForwardTo" , "ForwardAsAttachmentTo", "RedirectTo"]); | |
let AllOfficeActivity = | |
OfficeActivity | |
| where TimeGenerated > Lookback | |
| extend Parsed=parse_json(Parameters) | |
; | |
let Signins = | |
SigninLogs | |
| where TimeGenerated > Lookback |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"2020-09-18","Grape",5,"Fabrikam Inc.",1713, | |
"2020-08-08","Mango",3,"Contoso Ltd.",2944, | |
"2020-09-17","Cherry",4,"WingTip Toys",1054, | |
"2020-08-11","Peach",2,"Northwind Traders",5271, | |
"2020-09-12","Peach",1,"Alpine Ski House",3619, | |
"2020-09-08","Peach",4,"Northwind Traders",4205, | |
"2020-08-13","Orange",5,"Alpine Ski House",882, | |
"2020-09-09","Peach",5,"Contoso Ltd.",3899, | |
"2020-08-13","Peach",2,"Alpine Ski House",4406, | |
"2020-08-14","Cherry",4,"Alpine Ski House",976, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let TimeFrame = ago(1d); | |
let Alert1 = | |
SecurityAlert | |
| where TimeGenerated > TimeFrame | |
| where AlertName == "Unfamiliar sign-in properties" | |
| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"]) | |
| extend Alert1Time = TimeGenerated | |
| extend Alert1 = AlertName | |
| extend Alert1Severity = AlertSeverity | |
; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// How long to lookback | |
let lookBack_long = 30d; | |
// Timeframe for the series | |
let TimeFrame = 3h; | |
// Anomaly threshold | |
let AnomalyThreshold = 3; | |
// Distinct Device Threshold | |
let DeviceThreshold = 4; | |
DeviceLogonEvents | |
// Look for all events with the type Remote Interactive |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Set the amount of days to monitor | |
let StartTime = ago(7d); | |
// Create lists to categorize files based on their extension | |
let CertificateFileExtensions = dynamic([".crt",".cer",".ca-bundle",".p7b",".p7c",".p7s",".pem",".key",".keystore",".jks",".p12",".pfx",".pem"]); | |
let CompressedFileExtensions = dynamic([".7z",".arj",".deb",".pkg",".rar",".rpm",".gz",".z",".zip",".001",".002",".003",".004",".005",".006",".007",".008",".009",".010",".011",".012",".013",".014",".015",".016",".017",".018",".019",".020",".021",".022",".023",".024",".025",".026",".027",".028",".029",".030",".031",".032",".033",".034",".035",".036",".037",".038",".039",".040",".041",".042",".043",".044",".045",".046",".047",".048",".049",".050",".051",".052",".053",".054",".055",".056",".057",".058",".059",".060",".061",".062",".063",".064",".065",".066",".067",".068",".069",".070",".071",".072",".073",".074",".075",".076",".077",".078",".079",".080",".081",".082",".083",".084",".085",".086",".087",".088",".089",".090",".091",".092",".093",".094 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Scoring for the CVEs | |
let Critical = int(40); | |
let High = int(10); | |
let Medium = int(3); | |
let Low = int(1); | |
let Informational = int(0); | |
// Determine OS Version based on MDATP ClientVersion | |
let OSInformation = ( | |
DeviceInfo | |
| extend OperatingsystemType = case(ClientVersion hasprefix "10.3720.16299.2", "Windows Server", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let JuneRCE = dynamic(["CVE-2020-1208","CVE-2020-1226","CVE-2020-1225","CVE-2020-1248","CVE-2020-1238","CVE-2020-1281","CVE-2020-1299","CVE-2020-1073","CVE-2020-1239","CVE-2020-1236","CVE-2020-1301","CVE-2020-1181","CVE-2020-1216","CVE-2020-1300","CVE-2020-1215","CVE-2020-1286","CVE-2020-1321","CVE-2020-1219","CVE-2020-1214","CVE-2020-1213","CVE-2020-1230","CVE-2020-1223","CVE-2020-1260"]); | |
DeviceTvmSoftwareInventoryVulnerabilities | |
| where CveId in (JuneRCE) | |
| summarize CVECount = dcount(CveId) by DeviceName, OSPlatform |
NewerOlder