Created
August 3, 2020 16:59
-
-
Save Castaldio86/b41b59f9cb56d9f45fc8a9e3d21d5112 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// How long to lookback | |
let lookBack_long = 30d; | |
// Timeframe for the series | |
let TimeFrame = 3h; | |
// Anomaly threshold | |
let AnomalyThreshold = 3; | |
// Distinct Device Threshold | |
let DeviceThreshold = 4; | |
DeviceLogonEvents | |
// Look for all events with the type Remote Interactive | |
| where LogonType in ("RemoteInteractive") | |
// Make a series based on Distinct devices by User Accounts | |
| make-series DistinctDeviceCount = dcount(DeviceId), ReportId = max(ReportId) on Timestamp in range(startofday(ago(lookBack_long)),now(), TimeFrame) by AccountName, AccountSid | |
// Do anomaly detection on DistinctDeviceCount | |
| extend (AnomaliesDetected, AnomaliesScore, AnomaliesBaseline) = series_decompose_anomalies(DistinctDeviceCount, AnomalyThreshold, -1, 'linefit') | |
// Place all the items on a single line | |
| mv-expand DistinctDeviceCount to typeof(double), Timestamp to typeof(datetime), ReportId to typeof(double), AnomaliesDetected to typeof(double), AnomaliesScore to typeof(double), AnomaliesBaseline to typeof(long) | |
// Show all rows with a detected anomaly and where the threshold is higher than DeviceThreshold | |
| where AnomaliesDetected == 1 and SignIns >= DeviceThreshold | |
// Only show alerts in the TimeFrame | |
| where Timestamp >= ago(TimeFrame) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Read my blog for more information about this query Remote Session Anomaly Detection