Skip to content
This repository was archived by the owner on Nov 16, 2023. It is now read-only.

5 queries for account compromise detection #27

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

5 queries for account compromise detection #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
3ce841c
commit recent security alerts
Jan 27, 2019
cdc416d
add signin and office activity log queries
Jan 27, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions log-analytics/office-activity-by-ip.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Office 365 activity by ip
#### #office365 #unified-audit-log #audit

Return activity from the Office365 unified audit log by one or more ip addresses.

```OQL
OfficeActivity
| where TimeGenerated >= ago(256d)
| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd HH:mm')
| extend dtAU = format_datetime(TimeGenerated +11h,'yyyy-MM-dd HH:mm')
| extend UserAgent = parse_json(ExtendedProperties)[0].Value
| extend Cip = strcat(ClientIP,Client_IPAddress)
| where Cip in ('0.0.0.0','0.0.0.1')
| extend UAgent = strcat(UserAgent, ClientInfoString)
| extend CreateItemSubject = parse_json(Item).Subject
| extend CreateItemPath = parse_json(Item).ParentFolder.Path
| extend InternetMessageID = parse_json(Item).InternetMessageId
| extend DeleteItemSubject = parse_json(AffectedItems)[0].Subject
| extend DeleteItemPath = parse_json(AffectedItems)[0].ParentFolder.Path
| extend DestinationFolderPath = parse_json(DestFolder).Path
| extend MTDMessageID = parse_json(AffectedItems)[0].InternetMessageId
| project TimeGenerated,dtUTC,dtAU,UserId,Operation,ResultStatus,Cip,UAgent,CreateItemSubject,CreateItemPath,InternetMessageID,DeleteItemSubject,DeleteItemPath,MTDMessageID,DestinationFolderPath,OfficeObjectId
| sort by dtUTC desc
```
24 changes: 24 additions & 0 deletions log-analytics/office-activity-by-username.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
# Office 365 activity by username
#### #office365 #unified-audit-log #audit

Return activity from the Office365 unified audit log by username.

```OQL
OfficeActivity
| where UserId == ""
| where TimeGenerated >= ago(256d)
| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd HH:mm')
| extend dtAU = format_datetime(TimeGenerated +11h,'yyyy-MM-dd HH:mm')
| extend UserAgent = parse_json(ExtendedProperties)[0].Value
| extend Cip = strcat(ClientIP,Client_IPAddress)
| extend UAgent = strcat(UserAgent, ClientInfoString)
| extend CreateItemSubject = parse_json(Item).Subject
| extend CreateItemPath = parse_json(Item).ParentFolder.Path
| extend InternetMessageID = parse_json(Item).InternetMessageId
| extend DeleteItemSubject = parse_json(AffectedItems)[0].Subject
| extend DeleteItemPath = parse_json(AffectedItems)[0].ParentFolder.Path
| extend DestinationFolderPath = parse_json(DestFolder).Path
| extend MTDMessageID = parse_json(AffectedItems)[0].InternetMessageId
| project TimeGenerated,dtUTC,dtAU,UserId,Operation,ResultStatus,Cip,UAgent,CreateItemSubject,CreateItemPath,InternetMessageID,DeleteItemSubject,DeleteItemPath,MTDMessageID,DestinationFolderPath,OfficeObjectId
| sort by dtUTC desc
```
14 changes: 14 additions & 0 deletions log-analytics/recent-security-alerts.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Recent security alerts
#### #security #alert $user #location

Return triggered security alerts in the last 24 hours.

```OQL
SecurityAlert
| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd HH:mm')
| extend dtAU = format_datetime(TimeGenerated +11h,'yyyy-MM-dd HH:mm')
| extend IP = parse_json(ExtendedProperties)['Client IP Address']
| extend Username = parse_json(ExtendedProperties)['User Name']
| extend Location = parse_json(ExtendedProperties)['Client Location']
| project TimeGenerated, dtUTC, dtAU, AlertType, AlertName, AlertSeverity , Description , Username , IP , Location
```
16 changes: 16 additions & 0 deletions log-analytics/signins-by-ip.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
# Signins by ip
#### #signinlogs #ip

Return signin activity by one or more ip address from the Azure SigninLogs table/log.

```OQL
SigninLogs
| where TimeGenerated >= ago(256d)
| where IPAddress in ('0.0.0.0','0.0.0.1')
| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd hh:mm')
| extend dtAU = format_datetime(TimeGenerated +11h,'yyyy-MM-dd hh:mm')
| extend City = parse_json(LocationDetails).city
| project TimeGenerated , dtUTC , dtAU , UserPrincipalName , Type, Status, IPAddress , Location , City , ResultType , ResultDescription, ClientAppUsed , DeviceDetail , AppDisplayName
| sort by TimeGenerated desc
//| summarize by IPAddress
```
15 changes: 15 additions & 0 deletions log-analytics/signins-by-username.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Signins by username
#### #signinlogs #username

Return signin activity by username from the Azure SigninLogs table/log.

```OQL
SigninLogs
| where TimeGenerated >= ago(256d)
| where UserPrincipalName == "" // provide userprincipal name
| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd hh:mm')
| extend dtAU = format_datetime(TimeGenerated +10h,'yyyy-MM-dd hh:mm')
| extend City = parse_json(LocationDetails).city
| project TimeGenerated , dtUTC , dtAU , UserPrincipalName , Type, Status, IPAddress , Location , City , ResultType , ResultDescription, ClientAppUsed , DeviceDetail , AppDisplayName
| sort by TimeGenerated desc
```