# GoldenSAML Quiz: LDAP Query Object

#### Dataset

- Windows Events: `sqlalchemy://GoldenSAML-WindowsEvents`
- MDE: `sqlalchemy://GoldenSAML-Microsoft365DefenderEvents`

The datasources will be automatically listed in the `FROM` clause of a `GET` command when pressing `tab` to auto-complete.

In [1]:
# init hunt step to be executed for this quiz

all_events = GET event FROM sqlalchemy://GoldenSAML-WindowsEvents
             WHERE device.hostname LIKE '%.simulandlabs.com'
             START 2021-08-02T00:00:00.000Z STOP 2021-08-03T00:00:00.000Z
             
DISP all_events ATTR time, type_uid, type_name, device.hostname SORT BY time ASC

time,type_uid,type_name,device.hostname
2021-08-02T13:05:32.77Z,100114,Pipe connected,adfs01.simulandlabs.com
2021-08-02T13:05:33.483Z,33205,33205,adfs01.simulandlabs.com
2021-08-02T13:06:38.337Z,300201,An account was successfully logged on,dc01.simulandlabs.com
2021-08-02T13:06:38.33Z,300201,An account was successfully logged on,dc01.simulandlabs.com
2021-08-02T13:06:39.587Z,300201,An account was successfully logged on,dc01.simulandlabs.com
2021-08-02T13:06:40.033Z,300201,An account was successfully logged on,dc01.simulandlabs.com
2021-08-02T13:08:45.653Z,300201,An account was successfully logged on,dc01.simulandlabs.com
2021-08-02T13:08:45.68Z,300201,An account was successfully logged on,dc01.simulandlabs.com
2021-08-02T13:09:19.323Z,400101,The Windows Filtering Platform has permitted a connection,adfs01.simulandlabs.com
2021-08-02T13:09:20.04Z,412,412,adfs01.simulandlabs.com


### Task A: Find Accessed Objects in WindowsEvents Log

1. Filter object operation events into a new Kestrel variable (OCSF `type_uid = 300400`)
2. Use `FIND` command to extract objects ([managed_entity type in OCSF](https://schema.ocsf.io/1.3.0/objects/managed_entity)) which `RESPONDED` to the events
3. Show the details of the objects

In [2]:
objops = all_events WHERE type_uid = 300400

objs = FIND managed_entity RESPONDED objops

DISP objs

uid,type,data
9736f74f-fd37-4b02-80e8-8120a72ad6c2,5cb41ed0-0e4c-11d0-a286-00aa003049e2,%%7684 \t\t{77b5b886-944a-11d1-aebd-0000f80367c1} \t\t\t{8d3bca50-1d7e-11d0-a081-00aa006c33ed} \t{5cb41ed0-0e4c-11d0-a286-00aa003049e2}
9736f74f-fd37-4b02-80e8-8120a72ad6c2,5cb41ed0-0e4c-11d0-a286-00aa003049e2,%%7684 \t\t{e48d0154-bcf8-11d1-8702-00c04fb96050} \t\t\t{bf9679e5-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a0e-0de6-11d0-a285-00aa003049e2} \t\t{77b5b886-944a-11d1-aebd-0000f80367c1} \t\t\t{8d3bca50-1d7e-11d0-a081-00aa006c33ed} \t{5cb41ed0-0e4c-11d0-a286-00aa003049e2}
9736f74f-fd37-4b02-80e8-8120a72ad6c2,5cb41ed0-0e4c-11d0-a286-00aa003049e2,%%7684 \t{5cb41ed0-0e4c-11d0-a286-00aa003049e2} \t\t{e48d0154-bcf8-11d1-8702-00c04fb96050} \t\t\t{bf9679e5-0de6-11d0-a285-00aa003049e2} \t\t\t{bf96793f-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a41-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679ef-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679f0-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a55-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967950-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ff8e-1191-11d0-a060-00aa006c33ed} \t\t\t{f0f8ff90-1191-11d0-a060-00aa006c33ed} \t\t\t{bf9679e4-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ffa7-1191-11d0-a060-00aa006c33ed} \t\t\t{bf96794f-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ff88-1191-11d0-a060-00aa006c33ed} \t\t\t{bf967a06-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967954-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a1c-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a0e-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679e7-0de6-11d0-a285-00aa003049e2} \t\t\t{fe6136a0-2073-11d0-a9c2-00aa006c33ed} \t\t\t{6d05fb41-246b-11d0-a9c8-00aa006c33ed} \t\t\t{e0fa1e62-9b45-11d0-afdd-00c04fd930c9} \t\t\t{3e74f60e-3e73-11d1-a9c0-0000f80367c1} \t\t\t{0296c123-40da-11d1-a9c0-0000f80367c1} \t\t\t{28630ebc-41d5-11d1-a9c1-0000f80367c1} \t\t\t{26d97369-6070-11d1-a9c6-0000f80367c1} \t\t\t{800d94d7-b7a1-42a1-b14d-7cae1423d07f} \t\t\t{773e93af-d3b4-48d4-b3f9-06457602d3d0} \t\t\t{4b1cba4e-302f-4134-ac7c-f01f6c797843} \t\t\t{f217e4ec-0836-4b90-88af-2f5d4bbda2bc} \t\t\t{6cd53daf-003e-49e7-a702-6fa896e7a6ef} \t\t\t{5bd5208d-e5f4-46ae-a514-543bc9c47659} \t\t\t{e21a94e4-2d66-4ce5-b30d-0ef87a776ff0} \t\t\t{def449f1-fd3b-4045-98cf-d9658da788b5} \t\t\t{bf967961-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679b5-0de6-11d0-a285-00aa003049e2} \t\t{771727b1-31b8-4cdf-ae62-4fe39fadf89e} \t\t\t{bf967a78-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a77-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a3c-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a70-0de6-11d0-a285-00aa003049e2} \t\t\t{bf96798f-0de6-11d0-a285-00aa003049e2} \t\t\t{167757bc-47f3-11d1-a9c3-0000f80367c1} \t\t\t{16775848-47f3-11d1-a9c3-0000f80367c1} \t\t\t{bf967a1e-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a1d-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679f4-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a6f-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a73-0de6-11d0-a285-00aa003049e2} \t\t\t{bf96791a-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967972-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a71-0de6-11d0-a285-00aa003049e2} \t\t\t{5fd424a1-1262-11d0-a060-00aa006c33ed} \t\t\t{a8df7394-c5ea-11d1-bbcb-0080c76670c0} \t\t\t{a8df7498-c5ea-11d1-bbcb-0080c76670c0} \t\t\t{16775820-47f3-11d1-a9c3-0000f80367c1} \t\t\t{a8df7407-c5ea-11d1-bbcb-0080c76670c0} \t\t\t{bf967a16-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967962-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967976-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a21-0de6-11d0-a285-00aa003049e2} \t\t\t{244b2970-5abd-11d0-afd2-00c04fd930c9} \t\t\t{66171887-8f3c-11d0-afda-00c04fd930c9} \t\t\t{3e10944d-c354-11d0-aff8-0000f80367c1} \t\t\t{26d9736e-6070-11d1-a9c6-0000f80367c1} \t\t\t{52458019-ca6a-11d0-afff-0000f80367c1} \t\t\t{e1aea404-cd5b-11d0-afff-0000f80367c1} \t\t\t{05308983-7688-11d1-aded-00c04fd8d5cd} \t\t\t{19405b9c-3cfa-11d1-a9c0-0000f80367c1} \t\t\t{19405b9e-3cfa-11d1-a9c0-0000f80367c1} \t\t\t{0296c122-40da-11d1-a9c0-0000f80367c1} \t\t\t{0296c124-40da-11d1-a9c0-0000f80367c1} \t\t\t{bf967951-0de6-11d0-a285-00aa003049e2} \t\t\t{28630ec0-41d5-11d1-a9c1-0000f80367c1} \t\t\t{52ab8670-5709-11d1-a9c6-0000f80367c1} \t\t\t{d50c2cdb-8951-11d1-aebc-0000f80367c1} \t\t\t{07383082-91df-11d1-aebc-0000f80367c1} \t\t\t{00fbf30d-91fe-11d1-aebc-0000f80367c1} \t\t\t{2a132579-9373-11d1-aebc-0000f80367c1} \t\t\t{2a13257f-9373-11d1-aebc-0000f80367c1} \t\t\t{167758ad-47f3-11d1-a9c3-0000f80367c1} \t\t\t{e1aea402-cd5b-11d0-afff-0000f80367c1} \t\t\t{d167aa4b-8b08-11d2-9939-0000f87a57d4} \t\t\t{1ea64e5d-ac0f-11d2-90df-00c04fd91ab1} \t\t\t{23773dc2-b63a-11d2-90e1-00c04fd91ab1} \t\t\t{178b7bc2-b63a-11d2-90e1-00c04fd91ab1} \t\t\t{e48e64e0-12c9-11d3-9102-00c04fd91ab1} \t\t\t{67f121dc-7d02-4c7d-82f5-9ad4c950ac34} \t\t\t{9e6f3a4d-242c-4f37-b068-36b57f9fc852} \t\t\t{bf967a31-0de6-11d0-a285-00aa003049e2} \t\t\t{2a8c68fc-3a7a-4e87-8720-fe77c51cbe74} \t\t\t{ececcd20-a7e0-4688-9ccf-02ece5e287f5} \t\t\t{a637d211-5739-4ed1-89b2-88974548bc59} \t\t\t{df446e52-b5fa-4ca2-a42f-13f98a526c8f} \t\t\t{f85b6228-3734-4525-b6b7-3f3bb220902c} \t\t\t{a0dcd536-5158-42fe-8c40-c00a7ad37959} \t\t\t{60234769-4819-4615-a1b2-49d2f119acb5} \t\t\t{2b702515-c1f7-4b3b-b148-c0e4c6ceecb4} \t\t\t{bf967a6e-0de6-11d0-a285-00aa003049e2} \t\t\t{94f6f2ac-c76d-4b5e-b71f-f332c3e93c22} \t\t\t{5dd68c41-bfdf-438b-9b5d-39d9618bf260} \t\t\t{c8bc72e0-a6b4-48f0-94a5-fd76a88c9987} \t\t\t{ff155a2a-44e5-4de0-8318-13a58988de4f} \t\t\t{37c94ff6-c6d4-498f-b2f9-c6f7f8647809} \t\t\t{bf967a32-0de6-11d0-a285-00aa003049e2} \t\t\t{16775804-47f3-11d1-a9c3-0000f80367c1} \t\t\t{e8b2c971-a6df-47bc-8d6f-62770d527aa5} \t\t\t{f547511c-5b2a-44cc-8358-992a88258164} \t\t\t{a45398b7-c44a-4eb6-82d3-13c10946dbfe} \t\t\t{5e6cf031-bda8-43c8-aca4-8fee4127005b} \t\t\t{5a2eacd7-cc2b-48cf-9d9a-b6f1a0024de9} \t\t\t{1a3d0d20-5844-4199-ad25-0f5039a76ada} \t\t\t{79abe4eb-88f3-48e7-89d6-f4bc7e98c331} \t\t\t{8fb59256-55f1-444b-aacb-f5b482fe3459} \t\t\t{8ab15858-683e-466d-877f-d640e1f9a611} \t\t\t{ce5b01bc-17c6-44b8-9dc1-a9668b00901b} \t\t\t{54d522db-ec95-48f5-9bbd-1880ebbb2180} \t\t\t{7469b704-edb0-4568-a5a5-59f4862c75a7} \t\t\t{998c06ac-3f87-444e-a5df-11b03dc8a50c} \t\t\t{ab5543ad-23a1-3b45-b937-9b313d5474a8} \t\t\t{5a5661a1-97c6-544b-8056-e430fe7bc554} \t\t\t{d5006229-9913-2242-8b17-83761d1e0e5b} \t\t\t{78565e80-03d4-4fe3-afac-8c3bca2f3653} \t\t\t{b002f407-1340-41eb-bca0-bd7d938e25a9} \t\t\t{34f6bdf5-2e79-4c3b-8e14-3d93b75aab89} \t\t\t{fa0c8ade-4c94-4610-bace-180efdee2140} \t\t\t{a8df7489-c5ea-11d1-bbcb-0080c76670c0} \t\t\t{fa4693bb-7bc2-4cb9-81a8-c99c43b7905e} \t\t\t{bf96798c-0de6-11d0-a285-00aa003049e2} \t\t\t{01072d9a-98ad-4a53-9744-e83e287278fb} \t\t\t{bf9679f2-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679a9-0de6-11d0-a285-00aa003049e2} \t\t\t{c569bb46-c680-44bc-a273-e6c227d71b45} \t\t\t{7bd76b92-3244-438a-ada6-24f5ea34381e} \t\t\t{adde62c6-1880-41ed-bd3c-30b7d25e14f0} \t\t\t{5eb526d7-d71b-44ae-8cc6-95460052e6ac} \t\t{77b5b886-944a-11d1-aebd-0000f80367c1} \t\t\t{0296c121-40da-11d1-a9c0-0000f80367c1} \t\t\t{0296c11f-40da-11d1-a9c0-0000f80367c1} \t\t\t{bf9679a2-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a10-0de6-11d0-a285-00aa003049e2} \t\t\t{0296c11c-40da-11d1-a9c0-0000f80367c1} \t\t\t{bf967a7f-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a3a-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a39-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679fc-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967945-0de6-11d0-a285-00aa003049e2} \t\t\t{16775858-47f3-11d1-a9c3-0000f80367c1} \t\t\t{4d146e4a-48d4-11d1-a9c3-0000f80367c1} \t\t\t{4d146e4b-48d4-11d1-a9c3-0000f80367c1} \t\t\t{16775781-47f3-11d1-a9c3-0000f80367c1} \t\t\t{bf9679fe-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a49-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a4b-0de6-11d0-a285-00aa003049e2} \t\t\t{bf9679fd-0de6-11d0-a285-00aa003049e2} \t\t\t{a11703b7-5641-4d9c-863e-5fb3325e74e0} \t\t\t{dc66d44e-3d43-40f5-85c5-3c12e169927e} \t\t\t{94c42110-bae4-4cea-8577-af813af5da25} \t\t\t{bf967a4a-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967974-0de6-11d0-a285-00aa003049e2} \t\t\t{bf96793e-0de6-11d0-a285-00aa003049e2} \t\t\t{bd29bf90-66ad-40e1-887b-10df070419a6} \t\t\t{f0f8ff84-1191-11d0-a060-00aa006c33ed} \t\t\t{bf967a7b-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ffa4-1191-11d0-a060-00aa006c33ed} \t\t\t{e16a9db2-403c-11d1-a9c0-0000f80367c1} \t\t\t{f0f8ffa2-1191-11d0-a060-00aa006c33ed} \t\t\t{bf9679fb-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ffa1-1191-11d0-a060-00aa006c33ed} \t\t\t{bf9679f7-0de6-11d0-a285-00aa003049e2} \t\t\t{f0f8ffa3-1191-11d0-a060-00aa006c33ed} \t\t\t{f0f8ffa6-1191-11d0-a060-00aa006c33ed} \t\t\t{f0f8ffa5-1191-11d0-a060-00aa006c33ed} \t\t\t{8d3bca50-1d7e-11d0-a081-00aa006c33ed} \t\t\t{bf96798d-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967a69-0de6-11d0-a285-00aa003049e2} \t\t\t{0296c11d-40da-11d1-a9c0-0000f80367c1} \t\t\t{0296c11e-40da-11d1-a9c0-0000f80367c1} \t\t{bc0ac240-79a9-11d0-9020-00c04fc2d4cf} \t\t\t{bf967991-0de6-11d0-a285-00aa003049e2} \t\t{59ba2f42-79a2-11d0-9020-00c04fc2d3cf} \t\t\t{bf967a6a-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967919-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967953-0de6-11d0-a285-00aa003049e2} \t\t\t{bf967984-0de6-11d0-a285-00aa003049e2} \t\t\t{5fd42471-1262-11d0-a060-00aa006c33ed} \t\t{4c164200-20c0-11d0-a768-00aa006e0529} \t\t\t{3f78c3e5-f79a-46bd-a0b8-9d18116ddc79} \t\t{e45795b3-9455-11d1-aebd-0000f80367c1} \t\t\t{bf967a7a-0de6-11d0-a285-00aa003049e2} \t\t\t{9a9a0221-4a5b-11d1-a9c3-0000f80367c1}


### Task B: Object Access Details in MDE Log

**Prerequisite: Task A**

The `WindowsEvents` has very limited information on the accessed objects. Fortunately, the objects are also logged by MS Defender. Let's check the `Microsoft365DefenderEvents` log source to find more.

1. Plan to search for `query_info` in `Microsoft365DefenderEvents` log source containing the id (`uid`) of the object from **Task A**
2. `uid` from **Task A** will be searched against the `search_filter` attribute of `query_info` in this task
3. Use `LIKE` and `%...%` to maximize the possibility of a match
4. Copy/paste the `uid` value to construct the `GET` manually (do not point to the previous Kestrel variable since we need to add `%` around the value)
6. Write your `GET` command followed by a `DISP`

In [3]:
queries = GET query_info FROM sqlalchemy://GoldenSAML-Microsoft365DefenderEvents
          WHERE search_filter LIKE '%9736f74f-fd37-4b02-80e8-8120a72ad6c2%'
          
DISP queries

uid,attr_list,search_filter
113616,"[""thumbnailphoto""]",(l=9736f74f-fd37-4b02-80e8-8120a72ad6c2)


### Task C: Find Event Information of The Query

**Prerequisite: Task B**

1. Use a `FIND` command to retrive entire events that contains the queries from **Task B** (reversed relation using `RESPONDED BY`)
2. Display the following key attributes of the events
    - time
    - type_uid
    - type_name
    - device.hostname

In [4]:
query_events = FIND event RESPONDED BY queries

DISP query_events ATTR time, type_uid, type_name, device.hostname

time,type_uid,type_name,device.hostname
2021-08-02T13:11:53.6344905Z,600504,LdapSearch,adfs01.simulandlabs.com
