reprise99 / sentinel-queries Goto Github PK
View Code? Open in Web Editor NEWCollection of KQL queries
License: MIT License
Collection of KQL queries
License: MIT License
Query no longer runs because AADSpnSignInEventsBeta no longer exists (ErrorCode and Timestamp are also invalid)
Hi.
File: "Data Management/Data-CalculatePercentageperTable.kql
Code:
Usage
| where TimeGenerated > ago(30d)
| where IsBillable = true
...
Correction:
| where IsBillable == true
Best regards.
I changed /Active Directory/SecurityEvent-IACFlagParser.kql to look up the values from a table exported from msjobjs.dll and add the TimeGenerated to the output. (Without TimeGenerated it'd just return one entry with e.g. both "Account Enabled" and "Account Disabled".)
It seems too much for a PR, but if you want I'm happy to submit one with all or part of it. Ideally we'd use getexternaldata with a CSV instead of defnining a table, but I couldn't find one readily available.
// Parser to retrieve the values from User Account Control and generate friendly names
// Based on https://github.com/reprise99/Sentinel-Queries/blob/main/Active%20Directory/SecurityEvent-UACFlagParser.kql
let uacmap = datatable (index: string, description: string) [
"2048", "Account Enabled",
"2049", "'Home Directory Required' - Disabled",
"2050", "'Password Not Required' - Disabled",
"2051", "'Temp Duplicate Account' - Disabled",
"2052", "'Normal Account' - Disabled",
"2053", "'MNS Logon Account' - Disabled",
"2054", "'Interdomain Trust Account' - Disabled",
"2055", "'Workstation Trust Account' - Disabled",
"2056", "'Server Trust Account' - Disabled",
"2057", "'Don't Expire Password' - Disabled",
"2058", "Account Unlocked",
"2059", "'Encrypted Text Password Allowed' - Disabled",
"2060", "'Smartcard Required' - Disabled",
"2061", "'Trusted For Delegation' - Disabled",
"2062", "'Not Delegated' - Disabled",
"2063", "'Use DES Key Only' - Disabled",
"2064", "'Don't Require Preauth' - Disabled",
"2065", "'Password Expired' - Disabled",
"2066", "'Trusted To Authenticate For Delegation' - Disabled",
"2067", "'Exclude Authorization Information' - Disabled",
"2068", "'Undefined UserAccountControl Bit 20' - Disabled",
"2069", "'Protect Kerberos Service Tickets with AES Keys' - Disabled",
"2070", "'Undefined UserAccountControl Bit 22' - Disabled",
"2071", "'Undefined UserAccountControl Bit 23' - Disabled",
"2072", "'Undefined UserAccountControl Bit 24' - Disabled",
"2073", "'Undefined UserAccountControl Bit 25' - Disabled",
"2074", "'Undefined UserAccountControl Bit 26' - Disabled",
"2075", "'Undefined UserAccountControl Bit 27' - Disabled",
"2076", "'Undefined UserAccountControl Bit 28' - Disabled",
"2077", "'Undefined UserAccountControl Bit 29' - Disabled",
"2078", "'Undefined UserAccountControl Bit 30' - Disabled",
"2079", "'Undefined UserAccountControl Bit 31' - Disabled",
"2080", "Account Disabled",
"2081", "'Home Directory Required' - Enabled",
"2082", "'Password Not Required' - Enabled",
"2083", "'Temp Duplicate Account' - Enabled",
"2084", "'Normal Account' - Enabled",
"2085", "'MNS Logon Account' - Enabled",
"2086", "'Interdomain Trust Account' - Enabled",
"2087", "'Workstation Trust Account' - Enabled",
"2088", "'Server Trust Account' - Enabled",
"2089", "'Don't Expire Password' - Enabled",
"2090", "Account Locked",
"2091", "'Encrypted Text Password Allowed' - Enabled",
"2092", "'Smartcard Required' - Enabled",
"2093", "'Trusted For Delegation' - Enabled",
"2094", "'Not Delegated' - Enabled",
"2095", "'Use DES Key Only' - Enabled",
"2096", "'Don't Require Preauth' - Enabled",
"2097", "'Password Expired' - Enabled",
"2098", "'Trusted To Authenticate For Delegation' - Enabled",
"2099", "'Exclude Authorization Information' - Enabled",
"2100", "'Undefined UserAccountControl Bit 20' - Enabled",
"2101", "'Protect Kerberos Service Tickets with AES Keys' - Enabled",
"2102", "'Undefined UserAccountControl Bit 22' - Enabled",
"2103", "'Undefined UserAccountControl Bit 23' - Enabled",
"2104", "'Undefined UserAccountControl Bit 24' - Enabled",
"2105", "'Undefined UserAccountControl Bit 25' - Enabled",
"2106", "'Undefined UserAccountControl Bit 26' - Enabled",
"2107", "'Undefined UserAccountControl Bit 27' - Enabled",
"2108", "'Undefined UserAccountControl Bit 28' - Enabled",
"2109", "'Undefined UserAccountControl Bit 29' - Enabled",
"2110", "'Undefined UserAccountControl Bit 30' - Enabled",
"2111", "'Undefined UserAccountControl Bit 31' - Enabled"
];
SecurityEvent
| where isnotempty(UserAccountControl) and UserAccountControl != "-"
| where AccountType == "User"
| extend x = extract_all(@"([0-9]{4})", UserAccountControl)
| mv-expand x
| extend x = tostring(x)
| join kind=leftouter (uacmap)
on $left.x == $right.index
| project TargetAccount, UserAccountControl, description, TimeGenerated, Account
| summarize AccountChanges=make_list(description, 50) by TargetAccount, TimeGenerated, Account
| order by TimeGenerated asc
Hi,
What is the licensing policy for the repository? Is it okay to use it for education purpose for training text to KQL model
Thanks
Shashank
Have a question, need to query :
[email protected] added users to groups in AAD between ( some days )
View the information In the following table:
Result (succeed or not)
Group Display Name
Target User
May I please suggest an addition to Identity-DailySummaryofUsersAddedtoAADGroups.kql
It would be useful to include the server the addition occurred on, as well as the administrator who performed the action.
For your consideration.
add line:
| where RemoteUrl !endswith ".visualstudio.com" and RemoteUrl !endswith ".microsoft.com"
Ran the query against data in my environment, and the join type appears to be incorrect. Should be rightsemi.
Hello,
First of all, i love every single letter you have written so far. Its greatly appreciated in my learning of KQL! :)
Anyways, i tried this one today (Sentinel-Queries/Azure Active Directory/Identity-AADRiskEventCorrelation.kql) in a fully licensed tenant and get error:
Ive used the code as is and maybe im missing something. But incase not id let you know! :)
thank you very much.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.