cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Exploration Queries/authentications.txt
29lines · modecode
folder restructure for hunting queries, exploration queries, and built-in alerts aka detections. (#12)38faeb1
7 years ago
| 1 | //Shows authentication volume by user agent and IP address. |
| 2 | //Tracking via user agent is one way to differentiate between types of connecting device. |
| 3 | //In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual. |
| 4 | //Examining authentications by new devices or originating from new IPs is a potential avenue to discover unauthorized access. |
| 5 | //Similarly new device types (user agents) on a known IP address is potentially suspect. |
| 6 | // Office - authentications by UA & IP (likely only manageable for small tenants) |
| 7 | // Tags: #Discovery #LateralMovement #Collection |
| 8 | OfficeActivity |
| 9 | | where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon") |
| 10 | | where Operation startswith "UserLoggedIn" |
| 11 | | extend UserAgent = extractjson("$[0].Value", ExtendedProperties, typeof(string)) |
| 12 | | project Operation, UserId, TimeGenerated , UserAgent, ClientIP |
| 13 | | summarize userAgentCount=count() by UserAgent, ClientIP |
| 14 | | sort by userAgentCount desc; |
| 15 | |
| 16 | //Shows authentication volume by user agent. |
| 17 | //Tracking via user agent is one way to differentiate between types of connecting device. |
| 18 | //In homogeneous enterprise environments the user agent associated with an attacker device may stand out as unusual. |
| 19 | //Examining authentications by new devices is a potential avenue to discover unauthorized access. |
| 20 | // Tags: #Discovery #LateralMovement #Collection |
| 21 | OfficeActivity |
| 22 | | where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon") |
| 23 | | where Operation startswith "UserLoggedIn" |
| 24 | | extend UserAgent = extractjson("$[0].Value", ExtendedProperties, typeof(string)) |
| 25 | | extend machineIndex=indexof(UserAgent, "machine_id") |
| 26 | | extend UserAgent = substring(UserAgent, 0, machineIndex) |
| 27 | | project Operation, UserId, TimeGenerated , UserAgent |
| 28 | | summarize userAgentCount=count() by UserAgent |
| 29 | | sort by userAgentCount desc; |