Azure-Sentinel

// Name: Editing Scheduled Tasks Through Crontab
// Description: This query shows when users have edited or replaced the scheduled tasks using crontab. The events are bucketed into 10 minute intervals 
//              and all the actions that a particular used took are collected into the List of Actions. Default query is for seven days.
//
// Id: 6f0f1821-5981-408a-930b-8b2ca60e9e6c
//
// Data Source: #Syslog, #cron
//
// Tactics: #Persistence, #Execution
// 
// Change startdate below if you want a different timespan
let startdate = ago(14d);
// Pull messages from Syslog-cron logs where the process is crontab and the severity level is "info". Extract the User and Action information from the SyslogMessage
Syslog 
| where TimeGenerated  >= startdate
| where Facility == "cron" 
| where ProcessName == "crontab" 
| where SeverityLevel == "info" 
| project TimeGenerated, Computer, SeverityLevel, ProcessName, SyslogMessage
| parse SyslogMessage with * "(" user  ") " Action " (" *
// Only look for messages that contain edit or replace
| where Action contains "EDIT" or Action contains "REPLACE"
//| summarize all the actions into a single set based on 10 minute time intervals
| summarize makeset(Action) by bin(TimeGenerated, 10m), Computer, user  
| project EventTime10MinInterval = TimeGenerated, Computer, user, ListOfActions = set_Action 
| order by Computer asc nulls last, EventTime10MinInterval asc
| extend AccountCustomEntity = user, HostCustomEntity = Computer
cloudflare/Azure-Sentinel

Branches

Tags

Clone

Hunting Queries/Syslog/SchedTaskEditViaCrontab.txt
