Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
891566ba25da6149c543e9c127dbf8311dc78311

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Hunting Queries/Syslog

Hunting Queries/Syslog/disabled_account_squid_usage.txt

36lines · modecode

RawDownload
Latest commit unavailable.
unknown
1// Name: Disabled accounts using squid proxy
2//
3// Id: 959fe0f0-7ac0-467c-944f-5b8c6fdc9e72
4//
5// Description: Look for accounts that have a been recorded as disabled by AD in the previous week but are still using the proxy during
6// the current week. This query presumes the default squid log format is being used.
7//
8// DataConnector: #Syslog; DataTypes: #Squid
9//
10// Tactics: #Discovery, #CommandAndControl
11//
12let disabledAccounts = (){
13SigninLogs
14| where TimeGenerated between(ago(14d) .. ago(7d))
15| where ResultType == "50057"
16| where ResultDescription == "User account is disabled. The account has been disabled by an administrator."
17};
18let proxyEvents = (){
19Syslog
20| where TimeGenerated > ago(7d)
21| where ProcessName contains "squid"
22| extend URL = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)",3,SyslogMessage),
23 SourceIP = extract("([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))",2,SyslogMessage),
24 Status = extract("(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))",1,SyslogMessage),
25 HTTP_Status_Code = extract("(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})",8,SyslogMessage),
26 User = extract("(CONNECT |GET )([^ ]* )([^ ]+)",3,SyslogMessage),
27 RemotePort = extract("(CONNECT |GET )([^ ]*)(:)([0-9]*)",4,SyslogMessage),
28 Domain = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)",3,SyslogMessage),
29 Bytes = toint(extract("([A-Z]+\\/[0-9]{3} )([0-9]+)",2,SyslogMessage)),
30 contentType = extract("([a-z/]+$)",1,SyslogMessage)
31| extend TLD = extract("\\.[a-z]*$",0,Domain)
32};
33proxyEvents
34| where Status !contains 'DENIED'
35| join kind=inner disabledAccounts on $left.User == $right.UserPrincipalName
36| extend AccountCustomEntity = UserPrincipalName